Refactored client distributor C API.

 * Still not perfect, but the code before was not even able to deal with JSON arrays.
   Use common "speaking" function names for all functions in nDPIsrvd.h
 * Provide a more or less generic and easy extendable JSON walk function.
 * Modified C examples to align with the changed C API.
 * c-collectd: Reduced lot's of code duplication by providing mapping tables.
 * nDPId: IAT array requires one slot less (first packet has always an IAT of 0).

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

523 files changed, 2127 insertions, 2127 deletions

diff --git a/test/results/1kxun.pcap.out b/test/results/1kxun.pcap.out
index c49dac76f..7e0151494 100644
--- a/test/results/1kxun.pcap.out
+++ b/test/results/1kxun.pcap.out
@@ -147,11 +147,11 @@
 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":197,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1470104379271401,"flow_dst_last_pkt_time":1470104373232452,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104379271401,"pkt":"AQBef\/\/6SNIkYzEACABFAAChOp0AAAERyODAqAUs7\/\/\/+si9B2wAjdLxTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="}
 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":198,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1470104379271484,"flow_dst_last_pkt_time":1470104379169121,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":92,"pkt_l4_len":38,"thread_ts_usec":1470104379271484,"pkt":"MzMAAQAD\/PiuMpcsht1gAAAAACYRAf6AAAAAAAAA6Y+64hn3aw\/\/AgAAAAAAAAAAAAAAAQAD1mgU6wAmi+DsIAAAAAEAAAAAAAAM5bCP5L2b5bCI5qmfAAD\/AAE="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_src_last_pkt_time":1470104379271492,"flow_dst_last_pkt_time":1470104379169283,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"thread_ts_usec":1470104379271492,"pkt":"AQBeAAD8\/PiuMpcsCABFAAA6KxsAAAER6ZTAqANf4AAA\/NZoFOsAJg3d7CAAAAABAAAAAAAADOWwj+S9m+WwiOapnwAA\/wAB"}
-01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":211,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379118171,"flow_src_last_pkt_time":1470104379286078,"flow_dst_last_pkt_time":1470104379304068,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":720,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379304068,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49601,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":11413.0,"max":56171,"stddev":20339.8,"var":413706496.0,"ent":3.1,"data": [26,52106,52225,22,5484,34,48207,11555,801,69,59,49,273,37,27,28,464,56171,23,50473,3499,84,64,53877,45,17726,143,82,52,49,50,0]},"pktlen": {"min":54,"avg":835.9,"max":1314,"stddev":585.3,"var":342554.8,"ent":4.5,"data": [66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":250,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379118544,"flow_src_last_pkt_time":1470104379309514,"flow_dst_last_pkt_time":1470104379309350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":718,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309514,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49602,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":12315.4,"max":66248,"stddev":24063.6,"var":579054976.0,"ent":2.8,"data": [30,54573,54712,41,4152,56,64506,68,36,30,74,39,719,84,86,86,61743,22,885,65392,59,66248,63,504,2917,559,54,52,83,3871,32,0]},"pktlen": {"min":54,"avg":757.1,"max":1314,"stddev":600.3,"var":360321.4,"ent":4.4,"data": [66,66,66,54,54,413,413,60,373,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":252,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379117273,"flow_src_last_pkt_time":1470104379305366,"flow_dst_last_pkt_time":1470104379309692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309692,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":12274.6,"max":66840,"stddev":23326.2,"var":544113344.0,"ent":2.9,"data": [36,53209,53269,23,4558,53,61521,40,293,57,57277,26,5093,104,312,45,266,88,5943,34,1372,65090,55,53,50,66840,34,3844,90,757,80,0]},"pktlen": {"min":54,"avg":757.2,"max":1314,"stddev":600.2,"var":360235.6,"ent":4.4,"data": [66,66,66,54,54,415,415,60,373,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379119336,"flow_src_last_pkt_time":1470104379328801,"flow_dst_last_pkt_time":1470104379305020,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":369,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":1458,"flow_dst_tot_l4_payload_len":23877,"midstream":0,"thread_ts_usec":1470104379328801,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49604,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":12746.7,"max":96474,"stddev":26329.7,"var":693255296.0,"ent":2.7,"data": [37,50730,50813,26,5716,35,60276,105,70,53,49,73,718,44,49,52,342,56283,26,72323,56,48,50,164,52,68,54,259,49,96474,55,0]},"pktlen": {"min":54,"avg":847.0,"max":1314,"stddev":555.0,"var":308021.3,"ent":4.6,"data": [66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1314,932,423,423]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01703{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379117772,"flow_src_last_pkt_time":1470104379360886,"flow_dst_last_pkt_time":1470104379361184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":362,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379361184,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49600,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":15694.4,"max":142000,"stddev":32346.1,"var":1046270720.0,"ent":2.8,"data": [54,51945,52076,32,5225,53,60454,877,31,40,63,40,400,73,48,50,170,85115,142000,23,40785,2483,129,70,65,43573,78,404,66,55,49,0]},"pktlen": {"min":54,"avg":836.0,"max":1314,"stddev":585.2,"var":342449.5,"ent":4.5,"data": [66,66,66,54,54,416,416,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":211,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379118171,"flow_src_last_pkt_time":1470104379286078,"flow_dst_last_pkt_time":1470104379304068,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":720,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379304068,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49601,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":11413.0,"max":56171,"stddev":20339.8,"var":413706496.0,"ent":3.1,"data": [26,52106,52225,22,5484,34,48207,11555,801,69,59,49,273,37,27,28,464,56171,23,50473,3499,84,64,53877,45,17726,143,82,52,49,50]},"pktlen": {"min":54,"avg":835.9,"max":1314,"stddev":585.3,"var":342554.8,"ent":4.5,"data": [66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":250,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379118544,"flow_src_last_pkt_time":1470104379309514,"flow_dst_last_pkt_time":1470104379309350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":718,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309514,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49602,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":12315.4,"max":66248,"stddev":24063.6,"var":579054976.0,"ent":2.8,"data": [30,54573,54712,41,4152,56,64506,68,36,30,74,39,719,84,86,86,61743,22,885,65392,59,66248,63,504,2917,559,54,52,83,3871,32]},"pktlen": {"min":54,"avg":757.1,"max":1314,"stddev":600.3,"var":360321.4,"ent":4.4,"data": [66,66,66,54,54,413,413,60,373,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01698{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":252,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379117273,"flow_src_last_pkt_time":1470104379305366,"flow_dst_last_pkt_time":1470104379309692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309692,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":12274.6,"max":66840,"stddev":23326.2,"var":544113344.0,"ent":2.9,"data": [36,53209,53269,23,4558,53,61521,40,293,57,57277,26,5093,104,312,45,266,88,5943,34,1372,65090,55,53,50,66840,34,3844,90,757,80]},"pktlen": {"min":54,"avg":757.2,"max":1314,"stddev":600.2,"var":360235.6,"ent":4.4,"data": [66,66,66,54,54,415,415,60,373,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379119336,"flow_src_last_pkt_time":1470104379328801,"flow_dst_last_pkt_time":1470104379305020,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":369,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":1458,"flow_dst_tot_l4_payload_len":23877,"midstream":0,"thread_ts_usec":1470104379328801,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49604,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":12746.7,"max":96474,"stddev":26329.7,"var":693255296.0,"ent":2.7,"data": [37,50730,50813,26,5716,35,60276,105,70,53,49,73,718,44,49,52,342,56283,26,72323,56,48,50,164,52,68,54,259,49,96474,55]},"pktlen": {"min":54,"avg":847.0,"max":1314,"stddev":555.0,"var":308021.3,"ent":4.6,"data": [66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1314,932,423,423]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379117772,"flow_src_last_pkt_time":1470104379360886,"flow_dst_last_pkt_time":1470104379361184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":362,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379361184,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49600,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":15694.4,"max":142000,"stddev":32346.1,"var":1046270720.0,"ent":2.8,"data": [54,51945,52076,32,5225,53,60454,877,31,40,63,40,400,73,48,50,170,85115,142000,23,40785,2483,129,70,65,43573,78,404,66,55,49]},"pktlen": {"min":54,"avg":836.0,"max":1314,"stddev":585.2,"var":342449.5,"ent":4.5,"data": [66,66,66,54,54,416,416,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104379579523,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":244,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":244,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":244,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379579523,"l3_proto":"ip4","src_ip":"192.168.5.67","dst_ip":"192.168.255.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00833{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":286,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":286,"pkt_l4_len":252,"thread_ts_usec":1470104379579523,"pkt":"\/\/\/\/\/\/\/\/jHNut5QdCABFAAEQAABAAEARs0nAqAVDwKj\/\/wCKAIoA\/P+KEQouQ8CoBUMAigDmAAAgRkRFQkVPRUtFSkNORU1FSkVHRUZFQ0VQRVBFTENOQUEAIEZIRVBGQ0VMRUhGQ0VQRkZGQUNBQ0FDQUNBQ0FDQUJPAP9TTUIlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQAATAAAAAAAAAAAAAAAAAAAAAAAAABMAFYAAwABAAEAAgBdAFxNQUlMU0xPVFxCUk9XU0UAD1DgkwQAU0FOSkktTElGRUJPT0stTAQJA5qEAA8BVapzYW5qaS1MSUZFQk9PSy1MSDUzMSBzZXJ2ZXIgKFNhbWJhLCBVYnVudHUpAA=="}
 01022{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104379579523,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":244,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":244,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":244,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379579523,"l3_proto":"ip4","src_ip":"192.168.5.67","dst_ip":"192.168.255.255","src_port":138,"dst_port":138,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System","hostname":"sanji-lifebook-"}}
@@ -167,7 +167,7 @@
 01009{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":404,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104379903616,"flow_src_last_pkt_time":1470104379941700,"flow_dst_last_pkt_time":1470104379940364,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":336,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379941700,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49605,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"jp.kankan.1kxun.mobi","http": {"url":"jp.kankan.1kxun.mobi\/api\/videos\/10410.json","code":0,"content_type":"","user_agent":""}}}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_src_last_pkt_time":1470104379916943,"flow_dst_last_pkt_time":1470104379954670,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104379954670,"pkt":"ABxCjnAxTF4M6gNlCABFAAA0AABAADYGguxquSNuwKhzCABQwcaIrnkOwQ72oYASchC\/lAAAAgQFtAEBBAIBAwMH"}
 01031{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":409,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104379956802,"flow_dst_last_pkt_time":1470104379954670,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379956802,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"jp.kankan.1kxun.mobi","http": {"url":"jp.kankan.1kxun.mobi\/api\/movies\/mp4script\/10410?definition=true","code":0,"content_type":"","user_agent":""}}}
-01703{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":441,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104380141237,"flow_dst_last_pkt_time":1470104380142241,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":714,"flow_dst_tot_l4_payload_len":20160,"midstream":0,"thread_ts_usec":1470104380142241,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":14506.6,"max":146838,"stddev":33179.1,"var":1100853504.0,"ent":2.6,"data": [56,37783,37994,70,1795,58,38952,109751,153,146838,45,329,66,113,56,463,29,236,62,115,388,44,244,36267,36544,26,410,130,482,92,113,0]},"pktlen": {"min":54,"avg":707.6,"max":1314,"stddev":612.0,"var":374554.6,"ent":4.3,"data": [66,66,66,54,54,411,411,60,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,54,54,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":441,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104380141237,"flow_dst_last_pkt_time":1470104380142241,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":714,"flow_dst_tot_l4_payload_len":20160,"midstream":0,"thread_ts_usec":1470104380142241,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":14506.6,"max":146838,"stddev":33179.1,"var":1100853504.0,"ent":2.6,"data": [56,37783,37994,70,1795,58,38952,109751,153,146838,45,329,66,113,56,463,29,236,62,115,388,44,244,36267,36544,26,410,130,482,92,113]},"pktlen": {"min":54,"avg":707.6,"max":1314,"stddev":612.0,"var":374554.6,"ent":4.3,"data": [66,66,66,54,54,411,411,60,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,54,54,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":458,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104380188079,"flow_src_last_pkt_time":1470104380188079,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104380188079,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"218.244.135.170","src_port":49607,"dst_port":9099,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":458,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1470104380188079,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104380188079,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UhRAAIAGEmDAqHMI2vSHqsHHI4t8ty1+AAAAAIACIAAqAAAAAgQE7AEDAwgBAQQC"}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":459,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1470104380188122,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104380188122,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UhRAAIAGEmDAqHMI2vSHqsHHI4t8ty1+AAAAAIACIAAqAAAAAgQE7AEDAwgBAQQC"}
@@ -224,7 +224,7 @@
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":569,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382053678,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104382053678,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":569,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1470104382053678,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104382053678,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UjJAAIAGjM3AqHMIt4MwkMHNAFBSJ8A7AAAAAIACIABfkwAAAgQE7AEDAwgBAQQC"}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":570,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1470104382053709,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104382053709,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UjJAAIAGjM3AqHMIt4MwkMHNAFBSJ8A7AAAAAIACIABfkwAAAgQE7AEDAwgBAQQC"}
-01946{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":571,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1470104380890420,"flow_src_last_pkt_time":1470104382084858,"flow_dst_last_pkt_time":1470104381881083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":445,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":3612,"flow_dst_tot_l4_payload_len":6271,"midstream":0,"thread_ts_usec":1470104382084858,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"42.120.51.152","src_port":49609,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":70487.1,"max":398999,"stddev":104302.2,"var":10878943232.0,"ent":3.6,"data": [50,76520,76599,25,1136,41,62341,85,61755,47,298859,73,398999,66467,177,166123,34,60273,507,89,60822,34,117112,46,178142,469,61984,45,102335,44259,349653,0]},"pktlen": {"min":54,"avg":364.6,"max":1314,"stddev":410.3,"var":168364.1,"ent":4.2,"data": [66,66,62,54,54,306,306,60,79,499,499,499,499,60,1314,1314,54,54,1314,1314,542,54,54,281,281,60,79,491,491,60,747,54]},"bins": {"c_to_s": [9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01944{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":571,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1470104380890420,"flow_src_last_pkt_time":1470104382084858,"flow_dst_last_pkt_time":1470104381881083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":445,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":3612,"flow_dst_tot_l4_payload_len":6271,"midstream":0,"thread_ts_usec":1470104382084858,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"42.120.51.152","src_port":49609,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":70487.1,"max":398999,"stddev":104302.2,"var":10878943232.0,"ent":3.6,"data": [50,76520,76599,25,1136,41,62341,85,61755,47,298859,73,398999,66467,177,166123,34,60273,507,89,60822,34,117112,46,178142,469,61984,45,102335,44259,349653]},"pktlen": {"min":54,"avg":364.6,"max":1314,"stddev":410.3,"var":168364.1,"ent":4.2,"data": [66,66,62,54,54,306,306,60,79,499,499,499,499,60,1314,1314,54,54,1314,1314,542,54,54,281,281,60,79,491,491,60,747,54]},"bins": {"c_to_s": [9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":573,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1470104382053709,"flow_dst_last_pkt_time":1470104382122949,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1470104382122949,"pkt":"ABxCjnAxTF4M6gNlCABFAAAsAABAADEGLgi3gzCQwKhzCABQwc0rYeLSUifAPGASOQhglAAAAgQFtAAA"}
 01501{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":577,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382125031,"flow_dst_last_pkt_time":1470104382122949,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":503,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104382125031,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"183.131.48.144","http": {"url":"183.131.48.144\/vlive.qqvideo.tc.qq.com\/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE65694457E3F53549CD617D5C9F671A26C70DC68F93F1D7BCD017762F&guid=F5EB01CC01A8E08CD83630828DE17C2B02162FD8&locid=a06f98fd-fa26-44e5-acc5-0d83f9df03af&size=9418655&ocid=253564332","code":0,"content_type":"","user_agent":""}}}
 01528{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":3,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382125065,"flow_dst_last_pkt_time":1470104382192288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":281,"midstream":0,"thread_ts_usec":1470104382192288,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media","hostname":"183.131.48.144","http": {"url":"183.131.48.144\/vlive.qqvideo.tc.qq.com\/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE65694457E3F53549CD617D5C9F671A26C70DC68F93F1D7BCD017762F&guid=F5EB01CC01A8E08CD83630828DE17C2B02162FD8&locid=a06f98fd-fa26-44e5-acc5-0d83f9df03af&size=9418655&ocid=253564332","code":206,"content_type":"video\/mp4","user_agent":""}}}
@@ -252,7 +252,7 @@
 00897{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":608,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1470104383810371,"flow_dst_last_pkt_time":1470104383815221,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1470104383815221,"pkt":"ABxCjnAxTF4M6gNlCABFAAFIAAAAABARrEPAqHcBwKgFEABDAEQBNHbOAgEGABeXwMwAAAAAwKgFEMCoBRDAqHcBAAAAAGDFRwW8jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqHcBMwQAAAA8AQT\/\/wAAAwTAqHcBBhCoXwEBCAgICKhfwAEICAQE\/wAAAAAAAAAAAAAAAAAA"}
 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":612,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1470104384085549,"flow_dst_last_pkt_time":1470104378045830,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104384085549,"pkt":"AQBef\/\/6\/PiuMpcsCABFAAChLEMAAAER2QfAqANf7\/\/\/+uhMB2wAjbUvTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="}
 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":618,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1470104384289461,"flow_dst_last_pkt_time":1470104381217586,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104384289461,"pkt":"AQBef\/\/6CJ4BzeuNCABFAAChFFAAAAER7zTAqAUl7\/\/\/+t\/tB2wAjbvITS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="}
-01841{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":622,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104384990940,"flow_dst_last_pkt_time":1470104384790982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":9497,"midstream":0,"thread_ts_usec":1470104384990940,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":183050.5,"max":862765,"stddev":252834.9,"var":63925489664.0,"ent":3.6,"data": [31,69271,69368,26,1928,34,67940,1399,6083,291,73959,37,665858,862765,47,408647,411020,37,251400,251827,47,336785,335976,58,329935,190,130781,55,599505,799208,58,0]},"pktlen": {"min":54,"avg":383.3,"max":1078,"stddev":452.5,"var":204736.5,"ent":4.0,"data": [66,66,60,54,54,557,557,60,335,1078,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,1078,54,54,1078,54,54]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01839{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":622,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104384990940,"flow_dst_last_pkt_time":1470104384790982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":9497,"midstream":0,"thread_ts_usec":1470104384990940,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":183050.5,"max":862765,"stddev":252834.9,"var":63925489664.0,"ent":3.6,"data": [31,69271,69368,26,1928,34,67940,1399,6083,291,73959,37,665858,862765,47,408647,411020,37,251400,251827,47,336785,335976,58,329935,190,130781,55,599505,799208,58]},"pktlen": {"min":54,"avg":383.3,"max":1078,"stddev":452.5,"var":204736.5,"ent":4.0,"data": [66,66,60,54,54,557,557,60,335,1078,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,1078,54,54,1078,54,54]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385211573,"flow_dst_last_pkt_time":1470104382241911,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104385211573,"pkt":"AQBef\/\/6uKxvwfbSCABFAAChJ0oAAAERfD7AqGUh7\/\/\/+ti9B2wAjWL8TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="}
 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385211727,"flow_dst_last_pkt_time":1470104382242882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104385211727,"pkt":"AQBef\/\/6cPGh+Cr9CABFAAChfwAAAAERhKDAqAUJ7\/\/\/+ti8B2wAjcMVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="}
 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":631,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385418800,"flow_dst_last_pkt_time":1470104382448863,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"thread_ts_usec":1470104385418800,"pkt":"AQBef\/\/66LH8q\/uyCABFAAClCewAAAQR9ojAqAUx7\/\/\/+sn4B2wAkYV1TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1hbjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="}
@@ -522,7 +522,7 @@
 00903{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1282,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1470104373025824,"flow_src_last_pkt_time":1470104373127416,"flow_dst_last_pkt_time":1470104373025824,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":26,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":52,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423298822,"l3_proto":"ip4","src_ip":"192.168.5.44","dst_ip":"224.0.0.252","src_port":59571,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"LLMNR","proto_id":"154","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1282,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1470104377634231,"flow_src_last_pkt_time":1470104378045036,"flow_dst_last_pkt_time":1470104377634231,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423298822,"l3_proto":"ip6","src_ip":"fe80::edf5:240a:c8c0:8312","dst_ip":"ff02::1:3","src_port":61603,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"LLMNR","proto_id":"154","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00905{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1282,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1470104377720702,"flow_src_last_pkt_time":1470104377820998,"flow_dst_last_pkt_time":1470104377720702,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423298822,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"224.0.0.252","src_port":51458,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"LLMNR","proto_id":"154","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1299,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1470104379118972,"flow_src_last_pkt_time":1470104424311883,"flow_dst_last_pkt_time":1470104379310452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":723,"flow_dst_tot_l4_payload_len":22966,"midstream":0,"thread_ts_usec":1470104424311883,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49603,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":1464012.6,"max":45001141,"stddev":7948794.0,"var":63183326806016.0,"ent":0.1,"data": [34,54477,54551,26,4891,45,65495,70,68,364,89,71,208,46,29,27,25,61484,19,69006,62,56,48,731,52,51,51,454,70696,24,45001141,0]},"pktlen": {"min":54,"avg":795.6,"max":1314,"stddev":593.2,"var":351838.7,"ent":4.5,"data": [66,66,66,54,54,415,415,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1281,54,54,55]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1299,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1470104379118972,"flow_src_last_pkt_time":1470104424311883,"flow_dst_last_pkt_time":1470104379310452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":723,"flow_dst_tot_l4_payload_len":22966,"midstream":0,"thread_ts_usec":1470104424311883,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49603,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":1464012.6,"max":45001141,"stddev":7948794.0,"var":63183326806016.0,"ent":0.1,"data": [34,54477,54551,26,4891,45,65495,70,68,364,89,71,208,46,29,27,25,61484,19,69006,62,56,48,731,52,51,51,454,70696,24,45001141]},"pktlen": {"min":54,"avg":795.6,"max":1314,"stddev":593.2,"var":351838.7,"ent":4.5,"data": [66,66,66,54,54,415,415,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1281,54,54,55]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104424738880,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104424738880,"l3_proto":"ip4","src_ip":"192.168.0.104","dst_ip":"192.168.255.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_packet_id":1,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1470104424738880,"pkt":"\/\/\/\/\/\/\/\/AAwpjO\/4CABFAABOZ6MAAIARUUPAqABowKj\/\/wCJAIkAOgIy8PkBEAABAAAAAAAAIEZERURDT0VCRkNGQ0VCRU9FREVCRkNDT0VQRkNFSEFBAAAgAAE="}
 00895{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104424738880,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104424738880,"l3_proto":"ip4","src_ip":"192.168.0.104","dst_ip":"192.168.255.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"sc.arrancar.org"}}
@@ -808,9 +808,9 @@
 16052{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1490,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":144,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136216297,"flow_dst_last_pkt_time":1654385136563824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":11586,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":11586,"pkt_l4_len":11552,"thread_ts_usec":1654385136563824,"pkt":"nLbQ0+MztKXvZygQCABFAC00DihAADYGILqsaXlSwKgCfgBQtISflMKw6t\/AxoAQAOsWCQAAAQEICsmhz1fytRrc\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIASICJgMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APBdf1K+GvXii9uOLh+PNP8AePvX3sYx5VofGybuyCPU74H\/AI\/bj\/v6aJRT2Rm7k8epX4YOt9cAjuJWH9aSST2IblqrnQL4t8Q3MQik1KVRjBKHBP1NevVznGVKfJdLzSSb+f8AkeVSyfB0586Tfk22l8hyahfbc\/bJ8\/8AXQ815Liup6V3awj6le4P+mTc\/wDTQ1m4rsRKT7kYvbvJJuJTk5OXPJosuxnd9xJ9QvGGGupW9MuaaS7FXfcjS9u1O5bmUHvhyKvRju+4Nf3e7f8Aapd3rvOaq3kNXvuRPql6uVW7mAPo5qko9hq\/cZFqF3nAuZQD1Ac1XLHcevcuW+pXqji7mHsHNZuK7EO66k0Wo3I5+0SfUMaOVPoLXuSnUb0qV+1zFfTeanlXYSchh1G9Xpdygf8AXQ1SiuxevcaL++yMXU2Ov+sNXyrsUnLuPF\/fA\/8AH5Pg\/wC2apKPYbb7kqX98W\/4\/J\/+\/hoaVtiHJ9yaLUb3OPtc3\/fZqLLsCnJolTUb4HP2yb8XNJ27Cu72uNOo3p\/5epvpvNPlXYTb7jW1G+xj7XN\/32atJLoOM5EcmoXuP+Pub\/vs0JK+w3KSBb+9zzdzZP8A00NU0mtENSa6iS6nqCQMFu7gqSMgSdTnA6njk1nJxirsuHNOVkN8XeLPDuh303hfxGPGllIeZruy8lXkXpmLfkhDg4IwTXlSxlaS9yMV+Z6dHD04WlJ3OW0e88CpLqdx4X8Zawt5bwNNax+Jm8oz7efLSRCU3nnAbGegIzURrTi1KUfuO2ac9E9Dnpfid4iuNdW5XUWkd8Zi85xHNx93B5Vu1diqNO8UZyw6kmpM9K0vWLm+0u3voby4CTpu2MWDRnOCpz3ByK9SDjKKdjyatOdOTi2Wlvr3Oftc2R\/tmqtHsYtvuSJqF6SP9Lm\/7+GqUV2FzPuWX1S8ZNhuZCQoVW8wjaB6fWlyrqhcz7jF1G9Ax9qm\/wC+zTcI9ik33GtqF5zi7m\/77NHLHsHM+4qajegY+1Tf99mk4R7Am+5Il9et0upv++zScYroHNLuSw3F40yAXcpP++ayqpW2Nad77m7bpeKgMtzMB3+c1zx0exvJe7uUby7uopmQXUuB\/tmupJW2OZN9WZV5qd4krbbuY\/8AAzVWj2C8n1KjanqLHm7mx\/vms7JvYpXsXLS+vcZN1N\/32atRXYlt3LDX92RxdSn\/AIGazcoroaxi2tyE6heE8Xcv\/fZq4qL6EyUlpcVb+9Jx9qm\/77NaKMexnd9y1BdXxAP2qX\/vs0\/d7A3LuWYby9B5upv++zQ1HsS2+5bgvrr\/AJ+Zc\/7xqHGPYTbvuLLf3fa5l\/76oUIvoVGbRE2oXn\/P1L\/32aiyT2NubmW46O9vSf8Aj6l6\/wB41olHsYyuupYS8vNvNzJ\/31T5Y9iby7kiXd2f+XmXH+9TUV2DmfckS5u8D\/SJP++jVcsewc0u5PDcXhPNxL\/31Ryx7BzPuWkurkDP2iTp\/epcsewnJ9yveXt8WBW4kH\/AqiUE+hpTnpuWIr68EY3XEmR1+aqUI22M5N9Gb3hnVJwwJmY\/U1y1oLsQ3LudXLqQNod9wc46ZrjUHfYjn8zldWuZWnJjuH68YNd1NK1mieZ9yGDULmMAGd\/zq+VdgfM+pDf6vcqhCzuSfeqSj2KipPqZc13eFC32mT\/vqlzRvaxvytLcggv7sT7jdSf99U3FPoHM7bl\/7XczJn7RJx0+as3FdjJzlfcW1kuo0bNxJljnO40KMewnNt6sFurtWYedJj13Gm4prYG5PqfNuvpjXr0+tw\/\/AKEa44u8Ujvk9WVNvH+eavUVx8WemaZLNWwOFH0pEW1NNXwnT86TehLRGWB5qGjGSFJOKRKIXOckk4prcaWokRNPVajtYVgSuAafMUiIxZNXcq45IyDS5kQ2TKM8dKTY3qPjOOlVcT7Eqn5eTQGwx2yTVRBMVCevansO5MpGKBvYeHHGKaE2SKwGDmkJIfuwKhsHcN+WweM1SDW5Vu7+zt5khnuYo5ZPuIzgM3uBQ5JPUtU21dLQ3DowXw1Lqs+pW0biLzYbcHc7Jnl2AOQo9a0tFL3nYcYtuzMC51O0MkdrY3VtcySMTtilJQL\/AAyFyOh7DqB1rGVdWOhYW4XtzptnB9o8ToP7PjDF7AzBDezAZi+Yc7ATu468CuTESlOK5XZo3o0eVu5w3xEuNb8beKLnX4rK4uonjiggEbB3VEQIq8ck8E8CuGLUI2k9TtUErJLQ4fVbW5sLSeK8gmt5iMGOeMo4\/A1vBmsE3USMfTbhwwiLkfMCh9D600dlWOnMj6W+Hl9p2s\/BaCW3y2oWl2WuSVO5HIAYE994AOOxT3NexSanBOGi6+p4eJg3NtjkJK7ugPT3rVM89olVgEDZyW4HH507iHPxEsgOc8H2qr6BYYXzUbBYcppsbRPbxNKcKKd7bisXBazouTE231AqbooI3MUgfoVPek1cFKxpHWFMJyTnHTFZ+zVy\/a6GTcTvLKTuxmtUjN6laVC569e9Fhp20FhgUHLYNSopGi13JZchcLUOZap9RIQcHOeahq+ppdINnPrWkLoyqSuKg5B71sZbl22kAHUUrag2Th8nINVcgfHJgioYEpJPQU0FhyR7jjtTaHcmSLbzntQhEqDJxTsIngTPamrgW4oh1NMm5KF29KBX10FbpzSBtkTDL5zmnYEx2C3WkDZZs2khbKMVqZJMT1LyXEz43SEis+VIVrCGQ\/xdalpENdSKeT5TjmhCMy6c7utaI1inYIC0i7Sc1Lir3LcmkRXMRV8jNaRJTvuW9JPIyelROJLRrKqY9sVlYy6kFwi5+U1cSkz5u17H9u3mT\/y8P\/6Ea4Y7I9CW7KbYJxWiELGBuFNgzTscDHNIRb3\/ACYpWJaBWz3qGYzRIThaRCRDKw\/\/AFU0XEYrjNOw2iYfMakVkO209RXdxwxjNDuJthjvimtQQADPWtRu1hx9u9IQgGadwHLwQKECV3qSL97rVF7MUA5xQ2Jqw9GxnIPtSbGkZOq+JbSyuBD99jxw3+fzrmqV1Dpc6qWFlUVyVdWknsILm1NrGkj7Ge8kaMIecE4HQ46jis\/rXNokbrA23Zi3WlD+1I\/Ed3rNhcSQoS0MaiZGA\/gYfeUNkjNRz8zu9TqhTio8kUzm9f8AEus61rNubSya0W2QpAkf7sqhPILd1z3NTVrSeq0sa0qMYLletx6eFNSlu2t9Lmd4j5cpjWQfuiyhgDzyPTsenWsowbdzWUlFXZ02iWF6biWK\/kVLmxXHlXdqWIzxxz8vHPIx6Gt4t7MwlGO8Sfxdf2VzpkcWnx6ei25CLugH+tz2IwV9fWnNxasyYxaeoal4s1PUvh7b+ENWsodc0yG8MrXF0m6dG2AMkcxOQF7GsJUF8VPc0hPkle5454n0p9O117WC3uVAG9FmQhwvXkew7\/jRDmXx7noUqinC7Ou+D3iS903U3tre4dFuwGVf4RIPun29Poa78PWcW4rqcVakkz1P7XHewJcwRmNX5K5zt55H4V1Xb1PHcFGTRNA4CYZWI7c9BWsGYztc0dKs5ruK5WNSRHbtN\/3yR\/jWnMRsVzDIDhlII7EVDaLsKoK0lJXHytGvoBQsA2KmUmC0OnKqLQgAAGsepfKtzm9YVVlOMc10x2MpKxQFVYgXGKClsAHGc0CuOQHNDGpWHhdwArJw1N1VVrF7SdOlvpxHHx6mnpFakNuWxY1jQp7GPzd29e59KcJKWgmnbUyse9XcaBTg\/wD1qdxNXJoye1K6J5W9ixH0yapK4rWLCN05p2E7liI7TihoSJhycc4pWsG5NCBuweaVykrlyCLIBAo5hOBOCEGCKOdE8gyeULGWU0N6CSaZDHLvYc1KZq46EyLurRGNifARQSM5ouA25kAgLDqO1TcpIZp15vk2HipYpx0LrnJz2rNswGOvynJ61N7AZ9yOTWq1Nosn00ChhPckvkXYT3oiyYmYL4xSbQKJs6IQvozVsb3zY8luahPsZ1KVth8s4A65q1oZKPY+bddkLa7fdcfaX\/8AQjXEvhR6Ul7zKu89xTWpNiWJuR6UyWaNiDtBNBHUtE4HWpbJkwjOOlQ2QPMnGMc0lZgV5HJOaYDEJLdTzTSuxliIsOM07CJ1cYwDRa7Cwu7Ham0iGhAwNJ6B0F7YzVJ3DQdnkE07jsLmmTYkUZx3xS2LumO5HWncYm7Bqb3AzPFurJpOlNOdpkf5I1J4JxyT7AVjUnyxub0KXtJ26Hj+qazdXN8WikJ+bexPO8\/4egrlULq7PoYU0oJMbJ4l1Nh5c0iTpnI8wcj6UnTRaoxsWtButT1PW7O1hdA8zkooGGAAJLZHsD+VZqKvaL1H7NRVzudQ+K95L4YudCax01FsxshuBaoJpFZhlC2MkZJatvaPlVkczw95ud9zndM8WLZ6hHJDEscEyBfLQldgHVfoTnj3qYtJsHCTXoP1vxbqWoX0cTXs7xQ8W8jv+8QHjBI646flUzvvcmKS1sWGuo5dIUER3lzGAxHn8n\/ZZSM8Um31Nbdth\/hzW7+DUojfQEgKRDbltgbdx8yjsMnGOvrWlGeur0RjiI6aLU9sk8JeCvHJae\/1KSye6jgs\/tBIIZjJsCgcZyGHTso7V6U4wm+bueSsRXw60W12eIeOPCF74A8X2cGpIIo7iMz2bK2d0QkKgn\/axjjtXG6TpTsezCtGvT54nceB7gXGjN+8z5crDbjAUHkY9Qa76ElKJ5OLTVQ3oQXQDd0O0D1raUuVHPCPM7Hb+DLe3MAwwGVw3r9K4J4lt2PQWF03F8VwWucqFDAckVtGblE55RSZyjqO1CuOSVgjYo+VJBHQg11Rjc5GtTUi1O48oL5mR2zUuCHzFS7mMkhLHNXFEPVjbSMzzrGONxApykkilFvQ6eXQ1W0wEGAvWudVrs0dK25zMqeXMU9DXQZND1XjkUCLtjEpjLHmpbKUbl\/T7wabOJQuQfvYpSjzIpPlLev69bXViYYQctwSazhTlF6lXTOZB9K1QrACD9ampPlVzWnDmkkS22TzXlurUlM9T2MIRLSgivWo8zjqeRWtzWRLCCTgDNa7GJct4z+PvTuSW4oiRSC5Yiix2rJmsWW4dqjmlZsJNDbpd68ZNFmgUkQrCzAgg4qkiL6iRWu2XJ49KaC5chQYqrmexBq0wjj4PI96iTsrlRiVtPkMwIbpUqV9Qk7E0UBjlL56UyeYsxzc7TWckyZMsoheM8Vm2YXsUryIqT79a1g9DSIWbrHy3Aq5I1ab0KmrXyq3yuCaSHCDuZkjmY7s4NaWTRuvdLdlJ5KgZye+alQtsZVJuZIbgsTzTtYxSaPCvEKga7e\/9fD\/APoRrzou0Ud8nqyntzVXFcliXmhEtmjZjCjOKGyWSyHnHFQyADDHXpUvUQN0zkVSVkJEbAE0g0uNUYPHGa0TViiYMQeo4piF3c9aOgChj0pCdh6k+tK4bD19M0bCuhwJzVJhcdGxxTGT25Xcc0O4JaiynJ5PSgl3ItwHHSlZlI8x+L2pPceKFsmkIgsogpUHqzcn+n5Vy1XeVme3gadqN+rONlG0FiOoyai7R6C1djZ+GXhC88X649rAwjhhQyTSMOAOyj3NcmLxMaEFJ6tnZTpOo7I9i8OfCa20fTmvZ5ZHu4o3MBQ4MIx0z34z+deLPMakpXjodccHFK8tWeaa7oFq3iS4ijXahBk2kcjCkgfj\/SvSo15OmmzhqU\/eaRzV5EV+6oOXyT\/P+VdUXdnCprYJc+Z58YK4A4A\/A\/0q7aBF6WCa6EzGC4RVKjCODjbTt1GotLmiylDeXtlcbllbcp\/jOavlTOhxjNXPRPhr8RbqyjjtLvTbO+Fm7T2ayBgBcNhRITnkKM8euK2hVlHQ4MRg4yu72ub3jCQ+MvhjqHn3EN34g0S4\/tMyf8tJYWZllRfVQNjkdtppuSqxd90KjT9lUVtnp93UX4RNHceHzOhXex2mMHOQDx+I5+oIrowrTVzlx8bWOrEu1hxtGcke9dU43Vjzoy5ZXNG01OWH5onKnHauJ4aVz0Vi4co261C5uPvuTXZCCijhqTcmRox6+n6U+VXuLmbQ9WI60+ZXsKUWP3HGKtEMGz1qriJrCXypw\/8Ad6VjUTaNqbSZ0ba239nGEvjIx71yxjaVzqnZxMOVw7lietdaZxz0FH3cCmQSwz+Scdc0rXNE7Ed3dlzjsDzVJENpkSHPemxpj1XJz3pJBccFOfrSlFNWZpCViaLC89h2qI4eKdzWdebViyrbhkV0JWOR6lywizg1Mi0jSjiym4AZFCZMkTwL04+tVozIs7F29MGpaHcQA9DVJWQpMlt+T0qZCWxOI1IzipuJtkUygjOOKZSYiqQhODikEtzn\/EczK2OeeKyqvSxvTimix4d\/1AOeaKSsiKyNQEHr1rTU5+oiqBJmpewMuwvhKycTPl1Kt+wwSeOK0gaRVjLupf3TbTyK1ZrHc43VtQnXUPLIIGeua5ZNqR1wScbmpYzt9nLE5rqj3RjLcguNTkibnGKyq1eU1hRU9iCLVmlY4Oce9c7xdzZ4PlWp5j4glX\/hIL0Z6XMn\/oRrJL3UZyWrIEbPOaZDRLFgnNUiWXYW+QdqkkJHI79aSEEbj1oaJH+ZxikIb5nJpglYA5IzRsMdnjPrVJjHp0ptoTHihMVhy+tQwJUPy\/8A1qZLihcc4oHYFyGo1GSLkVoK44HOc0EtjQNzc0ylueV\/FOwVPEGoXyvlXlRCCP49oLfhjFefUuptI+gwUn7OKZylwfvMTkZA\/DFCO2C6H0z+y54UWw8DwXsifvtRP2l8jnB+6Py\/nXzeOqe0rPy0PbwkOWnfuevNpEc1rJGQFEiFSfTIxXGkkzaT0PmH4jWLaVqj6gqtstLlrW7Q9VU8Bj+ORXq4WTl7p5leNvePN523KY8g7X7elepBdTzJJXuMtZFTcrcqRkVrYzmm1oMu4on3PjbkcUloVTk1oVchYwsgR1zgHIJWnc6bdVudX4DuNCsxdR6u7QwXUB8t1j5LAjgSAHGcdgepohe7dznmpyLi+IoINaZrIpHEI3WJY4gkZh27cMMZOckZJycgmq9o4vmQ+VW0Nz9nl7V31LTpXlUAMFABJQg8OB34BB\/CurB25rnLjotw5juLqNkYEkE5KHHqP8RzXopaHiiQnjGfpSYXsToRnjrTS0Al52cEVLLgNBOalI0bVhySqp5onUsZxg5MvW08LpggVmqrZo6dkNnRUOV6E9K3WqM1poNyT0NZs2THxjoTVRM52ZKWIOauxlYZvJPNOyC4igk5xQIkQc5NFimSpnOaYrkg9vxpWKXkPSMsen5VaVhtdy5bQnPTjNUQX7ZfLHPFRJXGnqW45l2beMmoW45xdixAc4q0rGDvsTg8UwSHIvPNFwZMqhASKi+oWJASVyTSFYgeQBgD0HWm1oNeZ2XhJLC7sfLlWLAGDkDNeZXlUjLQ0VmzlPiJo1pDcGS26dxW1GUpq0h6x2Ocs828eBXZaxLRo2soZMueTSvqS4CySBW60ENCi7CjlqXLcXKVL68DDg1UYlqJSEgYEbsD+dW9DRIyNVsopJd4x1qHG5afKhsa+VBiqitbEGbq1v5wzuIFY16KkrnRQrODKmm6aSWwzdPWvNWHaPQeMTR59r+Rr97n\/n5f\/wBCNbQacUckt2Rp90UGbLEHYCqtpczkXYfuCpZOrQ2c470kJkYLYzQ2LyHCTI9KQrMRTknnpVDsSJwvvQSx4JzmncvoKH7elTZkpXHq+fWhJ3CxIjH0p2FYlQ4xSAkB5oJHA5OapDQvOQe1WvMloXOD6UAkLu75oY0cb8S9KebQpgg3SPOboZ74AGP5Vy1IHqYKu+dX22PN9E0+61fWLfS7OJ5Li7mEUar1568eg5rnqVI04OT2PehBykkj7o8E6ZFpuhWlsoUJDCsYOcDgY\/pXyjd3c9uPuqw\/xP4p8MaPEYr3xBZRT9oUfzJM\/wC6uauNKb2REpxWjZ4B8UtX0q91ye8jSWWz1CMwagmwjcvaVc9wcGuyjTmtOvQ5qjizya\/sTaXbBGWSOQYV16HHcfUV60Kl1qeVUg0Z7IyuQOua6E+qMr9yS1eF5jHc\/KOxxytD0V0HLbUq3UJhcERg4zyf4h9O1Lc2hUUtLmlollLe6otnC0tyGIeIQJu5PHI\/h9x7VMXdXaHJNaoj1xWGuzRJwEwqlGHzAt1wOmcdO1PYmyjG50PwevDb+OHhWWSJzMxRhjPHbmtaLcJxkY143pfI9hmkWWV4fI2yEYVd2OR2+oOce3FevdHg1Iq5XUgDPT60Ix1Hq2eQKu40SK5Ax\/OpC7HoN2B61Wlik7lkWi7c4JPrXJVi29DqpWRHHG6Pt6ClCmwqSLMoxHxzjrXSrI5+pHuyPSm0hczQ5ZD0NFkJybJkO7oDSuJ6oVwMjiqQAAD9KBjxmncRJEpJxjrTQizFFj61VhpluNBxgdqLFXLVv8vFNiZITxQ2rCW5Wd3ST8eK5al09DsppOJqWEm5BnrW0XdHJUiosuqe5qzMmhAYgZwahysJnQWfhxryy3wykPjPPQ1zTxKi7NAjB1OG4sLgxTLyD1reM1JXQ73M+SbOfWrvcOUZDdzQSCSKVkPsetS0nowsPv8AUbi6AEsmRUxhGOxS8ynJkjireohsUjRn5uRStYegPcljnPeqWwmQyTnoec0nZMSRWnkJ6n8qoZCk2G60mNaCTuCuMjNSht3K7gkZ7DtTW5Jk6pd+TOEzgHis6skkaxWh0Hh+GOS3yO4ySaqLVtjOUmmeN6+h\/t+9GMAXEn\/oRrzYv3Udcnqyuoxgcir5iSzbc+1V0Ia1L8ZHl4xUBaxFOeMCi5m3roMXlakl7jcEdRTWpV0KnXOKbESIDnOKOgiTb8vFK4gK8DnmmmNOwq8H3q0Nk0Z4osSSqc8dxSYhQe1P1GKrY6dKVgHqxzxRFiHAgirAUcfSh6gZXixGnhjj5OQVOOdq9f6VnJdjpw7szg\/hrpE9x44W3g1L7DK5lWC6PGHUbsZ7ZGa8fFz5KV2rn0mH\/eyUU7H0loLaxq\/gKbw\/qExe7gi2vNEfvrnhga+f5lzXR7sYtxtLc4mbQ9C8Ob9Q8RXDx28LZkfksT7d63VWpJ2iS6UYq8jePiT4eXcMSxRq0DNsjlntiFdu4VumRScK8XzMVN0p6IbrPw18NeKrAnTYktJHGVeJMAN9BWtPEziZ1MPB6NHlPjb4c634eui91ZtIqcbkHDjsR71308XG1m7HFUwll7p51r9r5N8Qm5SOSD2rvhO8Tli+VuLHaUl7NdxW6w\/aXlcKkYGSxPam5KK5noQqcZytDc9o8E+EILbT5dsl6wAIvZNKaON7cjA4LDLlcngYzz9a855lKL20\/E9allUajSlL3vwPMPFnh+fQPHNzps0kc4t2EkVwows8RUMknPTKkcdjkdq9CEozipRejPMxlOeHnKjPdaGd4Tna28XwTxyhiZgcj1J+7z+VaKWlrA17qR73qXmtcebJIHYhfmz8x+UYP9Pwr1IpHztZe+0QAsSS5JJ7+tbHOlcliyTihsryJxE+OhwOtGhLTJY4ZdoZUbH0qJztoawimrk8M0u4Rgcms1I2Whfj0m6mj8wct1xWikupE02UpzJG5jkUqy9Qab0M46kXbNJMUktx0Skt64rQSsXbfaBUsbGy7d2RVIliIDx6U7AaNnZF1yR1oRSQ9rbyX5HXpVomRKigU7giRTigqw4HAzzTEvMehLf\/AF6TC6RMsQdeahq5SnYabpLaUKTih+6VyOZp206ywqy9\/SmtTBpp2H+cFPHFJoRtaF4rkslEMgDJ6jqK5a2HUtUCRX8Vakt8C8RHzVzKUoaHTSpJkOhQI0eXUHimqkmaThGOhj+N2EMRkQY2jPFaupKMbodGjGcrHP6PrAmYJJ1pUcUpO0jbEYFxV0basGXI\/Ou255jTWjI5uRgUwK5+U460kwuQysO2cUBoQSk49aSYEDPx0qmh2I5WbYSDS2BEMEjFgpasnPUtx0KniSxaYLIv51lWi2rmlJrVHQeFhtsQpPIUVpTl7tjGtFcx5D4hXOv3uP8An4f\/ANCNeetIo6JPVlIrzTTFcmt+PpVIXUtqcriqT0B6CSHPepM00wQYXJpMhsd3BxSvcQ5E55p3C5LEg9KVwJGHbtTQEbnnHSqSHbQjdgGGOtOKYldiq57GrBE0bZ70hkmaLAAP\/wBekJjozz0puIEqjBBppCFYjpjg0JWYyKdBIvP4mna5UXY4\/wAVaHDAlpbQK0j3upLj2DHBX361w4qKhTbPWwNV1KqTPov4FeCpPCWkXMYuZbhnzErSsWIUnOOewwAPpXyOIrOrO6R9lRpKnG1zU8aeA9O8U2yLeRsDbzCVdpwCwzjI7gZ6VMJuOpcrPRkXhn4Yabp2iwafbQQLa2js8UIUnDMck8+p9Kudec3qyIxjHRI6GDTYrMFVjVcDHFZKQPYyvF09o2jzWtzEkocYIYZra9tibM+UfjzpUdlrkU9vxHKuCMdCDXrZfUvFxZ5uNglNSLPwc0xoYv7bmhkBcmG2kC5CccyEenQfnU46td8i+ZeBw+vtGemeB9VvTZa3puqWcMOoxRh5JY1ws3zLhsf7Qx0rzZpJp3Pdw61VzzP453kE3xAkgRSGsLKG1lH+0AWI\/DcB+Fe1gIuOHimfPZ9WVbGycTzaxl8u+VxwVkzn05rstc55Xsmj33TrqW9toLuRcboVEjKcjfjr+IGfzr0sPJygmz57GaVXYtoSe9dZyFqzwZlFSxxWp0OnQpvXeBg9aybdjpjG+5pXsEQQ+WBjHSufnbN+RW0OdnkSO83Jg4PatYvuZSTudVouo2j2IbeA2ORnmqs0RzGF4hdJp94xnPUVqtdDJ7mYOOKtR6kyZPEMYIpshMtQAM4BqJOxoo3LwjiaMqEHNZqbuaOCsVfLw5HpXQtTE19PlRYBu6iqtYpPQS9njcgAikpITuQhuOKfMSOTJOabY4k8cRIxSUimi1HBhaLiaHDg49KolIxfFUchj8yMnIrmxCbWh3YWSvZkvhfUM24ic\/MPWsKde2jKxGH6o13kLDIrqVRNXOHkd7ELSqHAwQR0NY+21sbexfLce9yCvT8c1p7JS1M+dx0JoNSmSHZCQKl0oxFzOTKWqzT3g2TYx3x3pKMbGsZSjqZTaUEcPGPfArGWFV+ZHTHGu3KzZ0uF3QJwK6YK0bHDWak7ol1C1khTcrBh3I7VomZLzMyVvfNJjZAXBOCaVwsQTPjgcVSWgEOd3ehuw7j\/ACflznioUrja0H2tlGW3tmm0HM9ieaBGwh59KLJoV2i9pdp5aEhhjFQojabPGNfH\/E+vP+vh\/wD0I15q2RtL4mVwnA4pq1yLj41HXHSqRSXUnHApjepHnJpMylZMen3uazbJHxnmrUbBYkBxTCw8MMf55ppBYUnIzRYCEknmrtoIbtJ6jrTS7FJaAAQeehp3sIkQ9h1obQMlXmkIeuc8GgBy4HSi+ghwcA804odhQ4564pgGQVoegbDLKx+3+INLjEZkkS\/heNfVg4rlxqUsPNt9GduXzaxMLdWj6RuWn05QkKFiDk47k9a+JiforiaPhS+iujKpTYw4ZXHIpuzMWmjSuvLtY2foD2qSkjlNd1IIWIOKSWo2tDzjxXqctzOVXIXtWyMjzXxz4Zl8Q6pbK8gSGIEyHufYfX1rqo1\/ZJ23OapRVRq52fhLQpLiwW1sbOHyYE2FZNyjphSCBzj0rFz1be530aV1ZGb4\/u7XwD4XaTUZBLqMmFhjZv3k5BygI7IDySeTgCtMPSdaoktup0Vq9PCU3J6yex4Fq15PczS3l1N5txdu000h6sxOSa+kSPi7upUcmZEPUsoGaUUdUux7b4FuHufCmlyBVx5LpuUD5sN0J7kZ7124VWjZHh5hbnXc3UY9+9dyPPs7E9s2181Mn0KijTj1AxoFJye1ZNXN07DZdTuXXYJCF9PWpcEV7ToVFZixPc0WZd42J4mZV+ViPpW0V3OWTvsTCTeOTn61S0Yk0IeuatEyHxE4wOtDIsSqzjkmokuxrBsuwTt5ePXuKiEbO5cpXQoNbpmY8uQpKk9KGhR3H6FCtxdF5ydoOAB3rz5VGpHpqipQNu60pPJ8y3BHrzXXCpdanmzhaTKpgaH7wq07gtCxbkDmmVcndgqhs0DtcpyXAMmKSqK9rhKi7XRHc7Zoip5BFaSV0RB8rujHs7ZoNRXaTtLYrzqlBp3PSjiIuNmd7a2ts2nhdi5K9e9OKkjjlJXOc1JGS4KqRgGtfYpvmBVtLFaVmW3POTXQtEYv3nqV9NvCbgIe5xmsZyu7GkUlqbUyKEBohe4psiJxWyMSa1nSN\/QGhiZLqc6C2PzZyOKLjMCYnFIFYqyuc\/TpU6l6MZ5uTiqj5ksRfvcmmSWEYlMcUWGyxA+3tVNXQkOJLNnGBStoO5e0+VdhBYDjvSYPY8V8Qf8AIevT\/wBPD\/8AoRrx4bK5vL4mV4m+XBp9SGtSeEjArRMtbCykjoaYMj3c4xSM7DgxBFJJXJJFYA5pgkOLk0WDUfGxbr9Kqwh+PyqlYGhwWqWwAU54pXAQp0obEAUg+lTJAOX2NUtEA4H5qAAn0oAQHnnrTGhVbjtmhXBioQCKq4E1pcy2d9DeQOVlgcSRsOoI6VlUgqkHCWzNKNWVKoqkd1qejXNl4y8S3um6lpniX+z4pYll+VAQxIyVdSDnoehFfFVaapVJQa2Z+jUK7q04VO6ueh+DdPv7W7lvNTvoJZGjCIkKkDPckmsWrmk3c2NYnZ4NueCKz2Gjh\/EZ4YA1ohNnGanF85bvVoyZkSkLcMcZrSKTM5aPQhsLvxxYO0Fp4jS303cWjCwK0qA\/wgkUSUHqlqaRq1IR0Z5H8bL6S58VQQSTPcSJDvd5HyxJJ5Jr18BC1Ns8fGTlOd5M4+6IjtWJILOMDvivRTOKnrNW2KcPyscdSMU0dEtT174KXbP4SuLXKlVmEgB\/gOOq+h6g+orowzs5I8fHRd0dYx5I5ruW1zzh6bvWhWBXHhsn60Iq4+M88H61VtNQbHrjrjFPlIbHqce2PfrUt2HFNkqEMwxTi00Nxa3L1tbNMMgDA65qibMdJbNA3OCPUU9xWsKuD2oaGmSRj0osPmFG4nnmkIkGccVfQWxPo1yLe5IkHyMfyriqUrs76dd8p6X4N0catpzTE4jbpnvXPUq8jSMVFydzD8eWK6ddLDXXhpuSuZT3MKJxmupsEhZZMpjtSsGzKMxYP14rjlTakdsaicR0UhK46V2Qelmcc0lLQduXeDxmqdiGXo9UuFhMYIHHWo5Y7k6lRpHZiWOSfWqdguQ3LfwE8VL2GnqQ2duBLuxWbhdmnNY0jKdgBPStIpIzk2RtL2x+NPci4zzBnqaQ7Ebygt97n0pAQyjPfrQCK9whA5o0KbaIAvc0ybj0B9aYE8QOM+tJuw0rkiA+tJSK5GS5wtVdE8rG21zGxYZ6Vm5K4JNHkfiPjXrzn\/l4f\/0I15S+E3e7KkZqk77iaLED4696uwth0xOOe9MGRK2DQLccrcikybDi5qlqOw5WNOwpMngPNBBYUgjrikwHZAPTmqjqCJI\/mxQwZJ5ec1LYhkgFNBcjcfhTQEbcDimtxgDn1qgQqnnGaQ\/MUY3YzTWwkia3i3nms5SS1No0+YfNAyDdg4oUrkyhys6HSPFPiPTdIsLfSYRMULLkoCFIOQCT7GvnMxoxWJb7n3PDzVbDKDV7aHS6B488azTRxXXhaGcM2GltbgLsH+1nj8q8+VOKW57VfD+zWrO\/e\/Z7RWcFTjkHtXI0cuxzmrzCR2weCaqIHL6\/KsaEAjca0Rk2c6JTJchVGcn1qr2IZa1VxFpxweT2pxd2LoeM\/GXT5ItZj1EoxR4gHcDIXHavZwFRWcTzcVB8111OBu5mlYDoqjAFejYinBRQ60xvBJzzQTU2PTvgm2GvI8Z3IGz29vx61rQXvHmYqKcL9Tu0+Yj3rtTPLcS5EuAKq+gJ2RFKpWU+nWqjrqZPRixtiqHcs20YkyW6VSdhpXH3cIWPcnT0rKeuxvCJBCzCTioTaZrNRaOg0aVDAEPBFbxd0YJW0Jb91K7epzVxMpWuVQPegWg+P3pi3JBzQkkDuSomRzTYAYsc9qnlGpNHb+C\/F8OlaesE5I29MVyVsM5u6NITMbxdrTazqZnK7UHCitaUPZxsOxmCUDvWgJiGQ5xTBsZIwYc0CuRb8cdqcU0yJXHx7nb5eaqT0BK7NLTrPzj8\/FcU66izpjQbVy8dLRE3bsitFWuYShZmXqduI3HPB6VqtSGQxMqjApsGxssrFuKiU0txqLaGq24ZJqk0S42I7yby4j9KTloEdWZdvfM9xt75rGE7uzNJw6mkjjgscVqzOO4bvOfYilqyU\/eNpwbWg+WwnRMlfwrXnRkoPqRwRYyGGD700wbJoEwenFN6"}
 18078{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1491,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136207603,"flow_dst_last_pkt_time":1654385136563848,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":13026,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":13026,"pkt_l4_len":12992,"thread_ts_usec":1654385136563848,"pkt":"nLbQ0+MztKXvZygQCABFADLUFpdAADcGEausaXlSwKgCfgBQtFrv1dsDOBd56YAQAOsbqQAAAQEICsmhz1jytRrT\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIAQQCgAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APFrvW9ct9Tm86+1OLEjbROnmL19eDXiyaex9drt+hZg8S6jtDPf28vH3WZkP68VFimkxLvVLa+iKalocl4uPvQuJP0zWsedbSsROnTkrSjcqQweF\/JBtr\/U9KKnIQtIgXPXg8AVXtK32tRQoUEvd0KMngKLU3FzpHi4ylzvBaXdvP5itFjJR0lExngYz1jIz9T+Hnju2uVuYJPtaoxOVuGUj8Dnj8atY6m1Z6GTwVaOqszj9Y8OePdOumZ9Pv2DHL+XLuDj8DXXTxNCS+I86thcSpX5DM1W71m1n8sJfwoAMPIHBzjn\/CuiPLNbnPKM4vWLG6Zqd1bzhpbm4dSPvCXO39aJR0sioO25evfEeoaXew3Vpq13BdLEhiltrh1ZCOQ\/B4PNZqHMgqSSMpvE\/iO8vjPqfiLUrlywbfc3TyZYDAJ3E54JH4mtXtaxhFtO7LMmp6g0Dpc30oSaPDMzHKt7c8dqytrdG91az6lPwxcXU+qIJrq6kij+Z1E5XcPr26VtVd4mVKClLU9A1LWrm28JW0T6hfeZcRmWCVZcqmXyNzZznH16153I3JtdD1oVFCCv1Oa\/4SjV18QTQR65PFatO0rAsWQgjGSB6jrWypXpptamNWtaq1G1i34k8ZapPZW13LqH2qS1l3GKTI4IAzjPsvPtjtTpYe0mkZzrppMd4Y8YeINS1KPIe4dd0kkvmNlcHKnGcYB\/SipSUIvUdKu5taGjrHxD1nSdSW\/aW6Pnb2RkOFDldpU57Y\/KsYUFLqa1MT7K2hFo3xJubrybd5r0pC\/mlBJwjFQrYJPOcd+30pyw2tyY45SVrC2vjSadpLA3UkD790aNK2D\/ALQGcE7amVBpcxvQxb+DY67QdSn\/ALGEaXbyJy3EpYsc54PrXNKmuZu52KbcU2ibXfFDabLFLFqUkUs8g8qIOd5wnO0Z68d+5qFRlO9jSeJjTSUkRy+P7u90uQ3eoyJ9jmX52kxI27hcAdcetVHDyXU5pV6c9Weg\/Az4hXPiLwV4g8LQzxtDo8P2kygMJC8jqmOeMfKcY7k1jiKE4Wcup00K1Kd4w6GJ4+8W\/YvE1rpU0qCSGNLj5pD5jIU2kBemO\/vU04Sav0Km4J8repL8SPiTf6sv2LTbiXQrjekh2Op+XacgAjGW6\/hWsU9mrowcoXunZmAfE2mQyaZJbeL\/ABRfSzKTetOiKQxU7FRFB6HBycZFaKP92xlKeukrm1c6\/wCFb\/wdFPFrGtL4oO1ZIZAgtmwRnkck9Tx0NRVTOihOz6GG0tx9lvYzcToPNQSIZjk4Xj6A8U4zdkKpCLkzqtJ8a2yeDptJ1H7e04uDMkEYO7HlIm4v7kHiudRkqnMapR5OVkkXjCyW80eWC8ns2tdUFy\/kMzsIwVyQcc9CfrWrTsyIQhdXsXfjJ440fxK+grYa1NOLGEpctKWUl\/MJO7jGSMfSpw6nTurbmuKUKrTViLxR4i0zUdas7ufUZpIrfTTGDH86ofLKhSW75x+dQnKO3UUYwsJo+qaDY\/s6+HtLvbqxOp28sjXllMrLc7NzfPI\/oQRgeh9q3lVlKd0cvsoQVmro4D4beJXi8cfY7tp7eCPTrj7O9wfvuZg\/K+oGAD7VrUi+TmXdG2FrwT9k1Zcr+9s9P8G+IdPk0fWrO91q3hW4aN4yyuxnZCc7MDC8ECuedSV0RGCZY0DxHp8Hjm+1OW6+zqxh8qaRSyygMm9SoBOAAaicm5GsYw9na2pz\/wAe9UbXn8bQaJPO41Fl\/sv5iiuAyliM42YAPWuqnNKUW3scdahzU2o7nk3hu11SLVo764vCv2XmNxOW35GCCOmBnr\/hW0qvuNLqKOG\/eKb6Hd2msXcfhOWL7S6tuk3FnOPvdc\/iK86pBudz0oTjGFjS+G\/jF9Au7w6i109lepsmEMmDlQcDJOCpBOa0lJySOe0U2dus82ofs\/Lf2F5II3huFiZTzgMwxkflUSk+a7CEUo2R5XpnijT7nT5SNTnD3cKK2L8KYyqDIIHB6dOK3\/eJ7EOdK17leTxhoy6MlpLqizRyzh4zJcsQzbAu3APXjqaXJVcthPEUVCzaJbv4iaTBZNF\/acBt0iChIwzqRyfToMnn2NaQw9R77kyxdJaK1ipp3jiXxBcM0WtRzSwNhkUmPCHByo4GM56VnUoulurF0sTGsrRa0MbXNbESMbm8mdMjBBPJzyMdvargrtEydlqUIfGpsvJsLaW+kRCJfs6vld2MKWYdWHrjpXSqLmrnLVrRi+Vlf\/hafiHRdYuporzVbS7u4mguyuE86JuSuD0BIH5VawblHe6MXjYRlqncrW\/jC9i01IrSea1XBcBnALM2c5Oc++CaJU5N2bBVqaWi0K0HxC1ZrqKEXs8O2VmZjHuILAK2eSSCB0\/Kh0JW3BYyne1hL3xNqEMRnt9QvVmUBgzEkNHgjGS2cYJ4pqk3uR7aMXdGpZ+IDeeBNGiXUipt5p4JfnKurFtysT1KlTj2xUzTU3c3hUjOCscj4xvr0ywSpcTJuB+VZmwffmuijLdHDi9ky74G1K5fUrSNp7qdFJDpFPtfn3HOffmnU0iycOk5pG3qp1dtChhsIzdyvdMQ9uzyXGPRlHAX371zxq3lq9LHdUg1TSiru\/zJo\/CHxEv7fy7LStQgW4bpcTCED0zk8+3FNYmindy\/UyeDxEvhjuXLL4UeM7SYDVfEun6ecbjG9yZWP4cc\/Q5onmVL7KbKjldb7TSOx8KfDPTG8RQapP4z1ad7WQGKHTrctHgfwqcniuOpj5Si4cu52UsujGanzXt5F3xbd3elX81jI91GkJwsTtslnzyABn5V7kmuON2eg0krWKSG9Nkb3UJ5DJNjZGrkAD\/ZGeg9TTur2TFyWV2YuoXAV87X5PGbnv6VspO25lKMex6x8LPghqmsaXH4g8ZSyeG9Gdd0SSuTdXi+qp\/Cv+01R7SSV7iUI3tY2vHHxf8AC3gDRE8PeAdMhMlsCvmt84V+mefvt7t+ArJKU5amjkoKx4xrU3jH4iT6deSa7MqXVu0927SkgSeYyZx\/E3yjr+ldt4YdXa1OKPPiJOMdkT3Os6f4L059G0O6uL+\/cg3F08pYeZjqx6ZHZRwKySqVpc8tEdUfZYaPLHVvczdHlv5L2TUL+4uZ5yCfLSVSzZHOEJ5PsMY610Q9w460udFe8ju28ySz1E+UG2xjzHIc88BiBg8dPXvS5bvcFUsrSRz95q1\/bz29wlzPuSTIBc4PHIP8q2p6E1NVZo7CwMOo2MEdvdXUaSwt8rSl\/MXbyGz\/ABJ\/Lmom+pCje6ZyPjTUZxqdtpgu2t\/O2FrlpGLPGPulznBLEbicdMVrTqe62YSjaaRvaLo+kbluLnxA86qCxRX2h+OmOTj2rD21S+iOp0KVm7q5qrqGmafC00Wqy+dPhmZZ5CCu0rnIA6AdB6GtVOfNqjGahy2TLf8AwmvhLStuLW8uP35Z4RFs8zj7\/mFj1PIG38awlTrT0bNY1aMLWiSv8YN4EFlokkcYBOZbtjtAHHCgCpWDaesjV43T3Ymbd\/ETXN729obOExRqZJJsZD7gX+Yn36gHOK09kjn+szfYgfxH451dorfQtS1SWI9UjBjMg5JK4A98g9OPWlyUY6yQ4yrz0i2XLHwV8S762ka4YW7zsGDT3WGbgjBxTliaUdjSOEqt3ZTTRrWOdrXUPFMaXttvE8Mc+AAW+8rNxweNvUdaXtpPVLQXsY3tJ6nU+G5\/BFlHFJJYalq08TZTktGh93fAznnj9ahuvLZ2RpBYePS7+84Ua3rxv5mUNKm9hlJFfAz3BORWlSlRNaeJqWWhZt\/EU8swhutMhduhEkWM\/j0rneHW6karExbs0XVnsmYO2kTwlhgPDnj8qTpy7lqtHsT2clu2AupXUQ3BWDxbwPbnAJwelQ1JOyRakmrmvbadpkjBDqZx2b+y15\/FZM1MpPqiloXzo6wQGew8RCJ0xx9olgBPuCGFJVE3ZoG30FWPxd5eYbqG9UDJAnimJ\/kf0o\/d7A5PsQifVVIXVtGICn5mFoVOPqTijlT2YnO+6LFz4b8Gak++5htGUjlns+Sf+Akn8aSxFSGzf3kOlSe6X3FC5+FHw\/vo\/lazRjx8l40Tqf8AgWPyrZY\/ELqZSwOGlvEwdW+BugyZTT9VnUt90tKGH6A5\/Oto5nVXxIwllVGS91syNX+C13eCKNdeghmgjWOOOT5lkA\/jLDuee3atY5jFO\/KZzyjm0UzGuvgv4vsJBJY3thdOmCPLlK\/hz1rZ5lRkrSVjCWU4iLvGSYnjPwL48ntbO3ttFZ4obfbKkDry5OSeTSoYrDptthiMHinGMYx9bHKp4Q8Xaddqbnw5qMSE7Xb7MZAq9\/u57V1zxNGS0kjiWExEZe9B\/cdRfeBri8eJvtsEFnLs8xZldJwo44BXHTp+tcX12ENLO\/4HestnNJ3VvxMi5j0zw94nudDhuPNgM4WG6fG8DAxnp69q2jOdeCmZVIQw9T2d9CtruseVdy2kcdnM8cxZt1uHVTnkc961pUkveZjOtryrUv8AhXWZ7lPskCWqTO5MkcVsiF0A4PA7VFWCTuVCrzadRsOt66upS2ianG65YXBS3iPbjkrnr6UnGChexdF1JVOW+nU6nwpLFb6QsYaKaVgZeDje57Njp9B6VyVEm20ehSlZWucb8ToJbvxBFJDFjK4wpyA2fWujCSUYu5xY+M6kotIv6XpkMFhBDLFMEQCNx5o3ZYN8y8cL\/ifalN8zdhQpcqSZ6b+x7pT22l+NkJwD9jh35z8u9j\/IVy4+fNyHZl9J0+e5yn7RCsfjQ6LO0aQWUSsUXdkbTxirwtvYvTqZY6\/tlr0OR8T3GoWtn9si1GVbksYbqMx5+UgYO45yfpyM11U1Tfu2OStKajzJkPhTVtYklDf2iVaBQsSpGNxXBycgc8dc06tOC2RNGpUluyprup3dhqKizvo5kwJI5Y0IOMcoScHHPT3rSEIyWxFWrKMvdZ02j6lrUOimT+0bVHkTdIzH5I2wdoPHykAdM44965p04OWx00qtRRu3qdr4o+E3jzQfD2l67D4ksdSGqwW0yQQxP+4MqGQty2OBwT054rF4iim48pusPiHFSU73Oa1Kx1gAw2up2sssKAMkkpAeLknGMFuf4vY+tNOK1a0H7Oq3aL1IGtPFOnBBqH2RBGiuJPPYs2fmQYPB78Y5pqdKWiuU6deHxW+8dpcviPV\/F+naLpGp2wudauRBBNJKSsUpbkMADgcdxx2pqMFFyktjFzqOSjB7nS+LfDHi\/wAGXMsGu6to8i3Fx9ldra6dosY3YYsuQMjkis1OnPSKN3CrBXnY5LSbDxVqmo6r\/ZUtkJNOhMlwzj5JR1Dr1yfTt61rKdKnFKSeplGjXqSbg1dG7pfhzxXqGi217beJLCKCMb98kjPFGGIViwUHgk4xyelRKrRTs4lwpVpR92WpH4H8MeNdd8SSWEPiBZII7grJcRo5UMS20L0I5XI\/WplVoWuogsPiE9Z6G38S\/g98YtLkmlTRfEeo29xbCS\/uEsX2xluuWfGCOhxW9NKW8LM5qslFaVNOtjnPBfhjxXpzSy3k5Fpa2qXM9u8gbbAx2qQBwfmxlQc1lWq03stTpw1OrG15XX6GhJPJ\/ZkyQTljG0qq2zac9RxXI1eWp6MV7rOY8WLIbOOC41C5MDhyHSP7suM8jI9OvpXfQXVI8nFNvRvQ+vv2A\/h\/aeP\/ANluHSNavdQ082l5PABbbMskh3hvmB9eKU6EKtWTv2MVi6uHpQilvff1Pmr4rfDPTPDHxH8Q2\/hmw1mfQNJvHtP7W1C5jZLuRXKs+1VGBuyAOemSa2nVtaCZFGlKSdRrf7jnfDHww1TxxrM8miCG1gijUzNLvl\/eEdBgAnI59qUsSqStLcuODlWk3C1jutE+Cepra29m8tvHJtZVjNhIxnI65BPBJOOP61yyxfVI6Y4OytdHmnhTT3sPipd2Fuz+VpzywTSsoAQjgjp3IwM104icZYdOW7McLFrEtR6XNDxxMqWVxE0uAxJWPdk5BzkVzUl7yOyu1aRj+DrJL\/XnsVuBB9rUsBIpMUixgs2cfxAZxXXNtQ9DznT5qllpf9DtLr4PaxdwxXCagVAQcrp80hZSBtP0\/Gsliox3X4mywU3bX8GZfinwP4ksH+yadpmrajKyBvLTTHiXceM5PWnGrB6tpfMVWhUWkU38jTl+Dl\/Z3OnTy6zPG9xbs84\/sokwPhcR4LDdnJGeMbah46DTVjX+z5XTv+BFZ\/CrUNTa4tJ\/EOlae0CnGWDmU5PBAPy8c4BPJIpPGwTuk2JZfUenMkdF4a+E+iWNgbSfXp7qVirs9pbFk3AfwgjnOfWs6mOlJ3SsdNLL4wjZsuN8KfB4kEk+natqBXLM15eR2qZ9MZBrH67U6WRo8BRl8V2anh\/RfBuhxiWz0bw1Y3Ck7JGlkvZsD02cfrUyrVZL3mzSnhqEH7sUjUPiOyjjNrbX94fl3MdP0qO3x7AuTn61nyye\/wCZspRWiKtxr0iHMWl316xxh73UTwPcKAPwzS5VfV2Bt+pDb6jqY3PBp+iWLEHJhshNID\/vPuNNOK3DUaZNfeVpLrW9SEOB8nmCFP8Ax3GBS5obJB7\/AFYrR6Q9pI9xc2zSlflllYyuGHK9skfj0oi5PQdorVkPhvSdY8R3qWGk6fLqmoXZAjihAwo\/vMTwqis7RT3E5aXPXdH8O+BvgzarqniK5tdd8UrGZFDANa2GO6ofvMP7x\/AVam27JXMntduy\/H\/gHifxe+NXiLx5dXMmnTXMtmW2iUMVJHb02\/zx6V0QwzjK89\/MwlXvG1JaHLaDo9jqFraatfXNxa2UKl7lZvl8189iOijH1JqpycG4pajpwU0pN2Ru+LXuF8MWs2iZsLKWN4p4MCKTaGyu0dTuySQOfWnytxXPqyVNRnJQ0TONiCxEEIcKwzx+f41cbmbVjobNJrVYCYC8Udwv7wlnRifuvs6YIP3vqOtaGTad9SvqSCG3a7i8lELjEYURup+YDK5Py5yRjjios7XC93Y5nWCrQxcEBp1B4B6nGa0pprRhUdo3Ow0KF7eONEgeWGP5QnzDaeck7gpyQT7YGKmSvoS27XsYPjWO2ne5aaJA1vIQhcDMTHoqtnOD124OPUVpTlZWM5q9rlO3tDOEMcMk5dAPLAY4PocevYilzFKm3sjqdI8K61dA\/wBnWMh+yI1xtjQlYh\/HIQx6Dhe\/enOpFLRijTbex0L\/AAm1S58RPaa7dxaQltsWa5ZQVtlkHyjrgjJxn+HPOKzdf3bouOHk5cstDWvvhx8MNBs2afxV\/al1HgrHC5KPg\/MpKDAzjAOeKyVas3dRN\/YUYqzZltrXhC2WBtO0eO6mhu0dmutqgIud0bsjMSzZHTA46VVqr3ZHPTVrIzP+E81mTUn\/ALD0ZYp1lDsLaz2hMBgCzElSSrYOAOgpOjC3vMca03L3EVNQv\/GmrZivtQeEMclPP3BfXcQQq\/rSUqMdkW\/bzXvOxT1KztNNtrW4Fwl+zlgXBIHb0xnp\/wDrrT2sW7JGfsbatlO61qPeGt7Y+YBtBnO9FHsgIFTCH8zKlNR+FGjqbawb+5DWDyZkbDK8Zxz+BquWm+pfv22L1tFYklLyxeZMH5fMK4Prkf55rlk2l7rN4qN7MakMMEz\/AGaOaNG+6N2WXjHU44yDVc2lnuWopPyLljYfarsZ1a4hDrndKmccdCM\/hWN2jWy6Gt\/ZF7ZRhoZxeqOS1uh3LnOCRjA4\/GpclJBZplF5mldkknbg7ShOD\/8ArqlFJaEc2pb09MOQVjYqBls\/55qJGiJo72dr5Yo9bvbSLZh3t5SQDzjA5Hpnp3oiklqrhurF6Sx1KcAQ+J7efByBd2Shj7EgDinGUOxPJLuTRRPbRONb0AyknMdzYqwR1OBngnHTjOOvSpbjf3WNLTVHIeKfF3g\/TkjIl1GzlkbI88F1xg9NmTmumnha0+lzGriaFL4n+ZseDJrnxDLdCwltJJbXZvWQHcA2cHBwQDtPPcg+lc9VeyS5up00KiqX5ehuPp+rxrt+wQttJzskx\/jWHNF9Tosyu66tbsnmWF8rAnmOQMPxyKuLj3Jt5Ekeo3hf53vYzjlWhBz7cUpWGh1zrzrsWeZEHCqXt2yT78URSewNrqV7y50e7XzLqz0q7GM\/vrdcn8xxVJ1I6RbRnKnTnukzE1LR\/BFzN++8K6WXPO+KMKc\/gRW8cRX6TZlLB4V7wRnx+BvBsU6XNtos9rIrfI8U7Ag\/nVvGV9nK5j\/ZuF3UfxG\/8K+0F41WNbyLLdFlByfXkGnHF1C3g47RHr8O7CK1uIYb65i+1hR5wVC8WPQ479801jL6cqM5YBN3UmvuKkfwtOGWPXpJBncGu7Ndx9sqwpLF315fxGsHOKtz39UWz4H1lbEW\/wDaOmzLn5S8bqwHcbgT6Cn9Zg\/hTCWGqaPR\/edF8ONOvPCmga1Zm3tTLqMsLK0Vw2Pk3Z3bh15rGrVU2tTWlTcE7pHCfE\/wj4q174jT+INPFkLeZY1aN7kZIVcEEEfWurDYmjClyPc87FYStUrc0djltd8AeOr+ZwltZeTuyI0vVJ+pJ611wxOGitW7+hy1cDi5XstPUl8MfC7x6tx5Z8NmaMAsHgvIw6nHY579MUp4vDvRS\/AmngcUvsaeqKWp\/C\/4lt+8vPDkm1eFzPHx7da2WKw6+GRM8BjJbw\/I2PDXhbxX\/Y8\/9peHdQRkdQiwsCJM55A3fwnOfqKwqVqV\/ckjoo4er\/y9g0eoeP8A4g+I9e+H1joOl+BtdtbjTxAJJFh3LIIo2RuMcbt2fauGFOLndyVvU7pTcYe5F\/ccNban4t03wpDotv4F1Sa3mlaabzLDLqSNoQSY3Fe4GeM11SjGT1mkcsKlSFv3b+4h1uHxPrU6KfBPiK3UiJNxtidgXgnI9\/0qKcYQ150zWrWlUVvZyXyK\/hXTPFGh\/EnSdWk8H63LbaTfrc7Y7X95KATyDnHOa1lOLptKSu\/M5YxqRqJuLsvI7T4s6hqnjK8uGsfAfibT4k8+7cXFuu6Z22gJlT7cYrCgowd3JfedFecqkVGMX9xh\/CxPFujL4jgvPBetzXmu23kW6m0OBkcE9+v86eK5W4cklZeZphXOCmpRevke7fsWfDTXdcN7J4gtdV8MxaPDHFDIIkDTTs5chVkDAqq9cjqRWkKEKzcr6HJiMRPDJRS1fcZ8e\/h9p\/w\/+I9tB4P0n4geJvEWozxXt5dxWqmwslebJDCOMBmIJO0EAAjNFTDwhZLciljatS7lZI9+\/bhsdQv\/ANmXXrDT9JvtYkuJ7WNrGzVmlkRpQGKgc8dc9sV2V\/g3PNw9vaJPY+T\/AAJ8DPi\/4s8H3mp2HgvULRfD2lR2aWmoS\/Z5NXIOSsQPUhQCQcA4AySa4VRlO7W17nryxVKlyx628jX\/AGLfhJ\/wlfxln0v4k+HYbrRm0q5l+yPeqGSdWQDIjYMCMsOadGNOU7PVjxdetTo3hpf0On\/a++Fnwk8J+PdL8O6Z8NtR8u60r7U9xYeIXtYwfMZcEPFKS2B1yODjFaznGjLY4aPtsQmnJHbfsx+LfCXw4\/Z48Y+INN0C+0q20W6iRLWbUTdPezmILEqN5S4YkgH5T61VGpFxlNXDFU5upCDaenQ8jsF0GL4cXGsT+BfGMmgxztFeXb64ZUWaQlyrE2\/OSx5xjkDvXK+WTc1F\/edkPaRiqXOvuPYPiroGk+B\/2TdMtfAC3GhGW7sp7aeMCa8JmIeUliMuxB57ADoBXRX5fY3aOPCzqPE2v3PF9X0vWtXlhu77xb4qvrmAZVrmOOLyh32knjNeU6i2R9A6d7Psc7N4M0YtcB47iOW4kLzyTarBC0rHkk7eapzfqHs4620uZ8\/hvwQm9Li10iKVfkMtxfSXGQO528EVXtqqtZ\/gR7Gl1X4jrG28G6dOLaJtFTB3CSDSmkYn2JORVuVZq92\/mJU6UXol9xt2+rxiBliu9UwOEW3gijUjHr1FY377mysV2vlMqSTrqkpU9LjUXQf+Of0p3vtYLBdajbzSeXa6JpAnfgSS+ZOw\/F2P8qTjpqyml2Es9L1aGHc1xa24Of8AU2qg\/qO1LnWwuWRnanPGmwanr9\/OHbairdrGv5IeBWqi3sjN2+0yuL7w1DLun3XDDkYkMjZ+uDS5J30ByprcafEui+QfJsp0IOAFRR+GWNVGjN7iVWFtihceMo1lUwQLtDFQs9xnJx6KKpYeS3ZDrq+iH23iLWZfng0kIm7bvjsmbHvubIxTdGHVgq876Ijn1LxHc58y+htkdsbXukjyvqFUkn8qFRp9hKrVfUjisb+WXdJdTzjdn5IJGDL\/ALz7VH507RWyJvK+rOj8E+FbvxFrcWk6XBLJdStkFp49kK+rbN3A9yKm7tdlaSZ6d4l8b+HvhH4ZHhfwn5d5qxh2ajfJjdI\/XBP90egrmnBTbsbXUVqeI2M+ueKfHtnqWozyt5k7eXH1yXUg4B+vet6fJSXKjmqKVROTOXu9I8jTo4YYyuFGQFBORxzXRzvmJ9leCsSaCs9wkdrekzxW7CO3inwip8pPPYnjAJp2V2yHKSXLc6WS5lXTluoGSFfMMcixxvsdFwEJ8v5QRuOcEA5HPWk9dhxOX8aahdmVLpVR2OAxbqVOSuT64x1q4K7szKblGN0P0DVZ3tlWeKUBgRHtk270\/jTd2HcejfWm0Q5rexLeQNLvQQMkysWAllAWVegAbpkAcg+uaTUluNTSV7HOajMk1lJH9lkQ5B3FgRWtNNO9yJyurWPR\/h3bXD+H7Hz3DRsrNGXXO4Y+7745NYVV710bR2tcy5rCxPiqzn1K1N3p2n70ZPNUeeuM7unLocZ45XHpV8r9m7PUz91TV1odBaePNLsx5WmeH4Xab5IZjDI4QdN4PyjIz156Vh7F31kbOtbSMRut+NteMK6a8bRW24NII0CYRUC8FfmzgDgHnPTrWnJGOpm6kmrXMVpdZ1BBGG8xZANvlLv8oE5I3Md3I4IPOTnNWpRW5KU5aJFu38GajeO0+paiqBsfLGTKygdsnCrj+dYzxMVtqbxwsnvoQXWjaDpFtcW+iSiW9APBlM2wd92BsXPvzTp1Ks5LmVkRVjSpwfK7s1NR8T6dpenRh7dJGwCsZfESfULjP0rJUpSbOr2kYxT2OF1zxLdanq8apLsWVwqqBtVeeqqK6KVBW94454m7tE0PEfh9I\/IZ5JUZgy7o5COQc4IqaczSpST1Oc1a0ltLhGgnmw20KhfLEnuOOa6qdpbo4qqcNUz0vUrzxRFNOLrRJSFZwJUgLHr17ivPdOF9GempzS1RnW19JJKfOvYoptuSs8Pl8\/gP6VUlaOgKVzTso726dY7dbK5d2wix3SeYx64APJ+lYt21Zom27LcsqZYcNc6ddINxG5I96qQcHlSe4I\/CiyezL5mnZo2ND1eO23+TLsLYyrDr19azkrGkZJmkdVknXc1rbTc9ZIQQPXpiskpbsttGr4v0LSY3tIbS2W1kvLCKa4KAt8xOeATx09afOToYLeFS3z2uo6eSDj55DGT+YqvapLUv2bOGn8eDT7grd+H9VU7c5dNufbjIP511wwya0kjjljOR+9Fkl18VfDsiLAL+WPzFCNBJDIck9QflxR9QrXul+QnmWGejf4M8g8b6il9rV99nVGjadgmECiNQ3yhQAMcf1PevZoUnGETwsRV55ytrqSaF4j1jSLSa8tdRuIb3y\/L80sSTHnOCe\/OOtTVw9OdouOg6WJq0k5Rlr+h3ngL4j+Kb51VG1BppXKJLBBvhHy7trMx+98rcfSvOr5fRh\/Wp6+GzGrUdrO\/4HYQ+LvFsUZeZ5TkAlpLM8n34riWHo3svzO9Yip1JR8SdcLeVLFaEY+YmFoyT+NKWCgldMaxb7Ev\/AAnsspAm062mBPJWXH4ciksPbqV9ZT6AnjCwe4KTaEQg+6Y3ViPWm8PLdMf1iLeqJ5da8KS8zaPdJk5P7sZ\/Q1l7GtsmV7WnfUadU8FO4JgnhHuGBP6UnTrp66lKpRfUcZvB7keRqToemPPI204qr1Qc1Loy9bwaVIAsGuSqowQDdrj9TSdSV\/h\/AtKL2ZqW1lCIgIfEhUnj78ZqPa6\/CVyLuNeDUoiwt9UikBH3vKjJP9aOaMuhPK0PksNSERZtRtT\/AHt1uB+PWleInFkVzp2pN8zS2BA+7+7OMdulXGUU9BcjGf2PqlwoDJozZIwzIQKJSiuovZyJP7N8SW8ilE0RUA\/5Zz7Mj3ANJVab6sXs5roiK8g1+dgs9ppcwI+4ZycfrWl4dGDjN7oj8jVFG3+zbAH1WYj+tQ3HuHI+xLCviMNiGzVVA4K3jAYrSLj3Bwl0RKE8Z7XK2kgT+ApfHGPfPWofJ1YuWfYdbWHixhuktpGJ+XH20\/0qVOnsHLLsOEPiOAPtsix\/hQ3pH9K0co9QtNdBdPk8WPHmTSpI\/mPTUic+\/AocodGJRl1RraFbeONS1y2sNM05Zrq5YLDG987ZP944xtVRyT7U0ueSjHcyqzVKLnLRI+oYLd\/h98H9SuLHyry+0fS57xnmJ2XFyELFmPXbuGPoBXt06XsaVkfK1q0sRW5pdfwR8maLrfxEuoYdUn8Wlp727S4uXbX5EBLyAsFQNgDnAA47V5TxEnOzbPdhg6ap\/Cj6o\/bQutSsv2d9Wn0vU5NNuReWardJO0JQNMoI3KQQCOOteviJclNs8HCxUqyTPnPRNA+K\/iHQNR1jRfGOp31po6CW9ltb24dYsjkL8\/zEAZIHOBmvMhVqzTcb2PenRw0HFTsm\/I0v2aPFmneAfiDf+NPEviWG90+LRbj93CgMtzM7ptVSerMc9T6k06FWMKjckLHYeU6MYw11PUNE0n4ufGvxTZ+OtU1rV\/hh4NtLXZDp9le\/6TqEYcv5r71Cx5BwXIxgcA9a7oSlV1tZHkS9lQXL8UvwR7V4YvtCv\/Ckdz4a1G31TT445I4byG4FwsjR5Vj5vO9gwIJ9a6FaxxO6bufFPwg0P4tfFzw9q62PxO12a3t2+z3kV7q7rFJ5u75AoUgjA5B9q4I+2rNqL0Pan9VoKLnHV9jl\/i1dS3vxHltPEvjK0vptAiXTEis9Qdbaw8pQhiTIGW+XLMAcknmsK\/tE+V9DrwdOk1zxVr9zAubvwmkOW1W0JA4AkeTPrn5TWKVV\/ZZ3P2XdEZ1DSIvLIEW0\/Mmy1Ylx+OKapVCOemuosvirQkwI9LkZmXO5oEGR7ZJ4prDVO5LxFPsZdt4ttrS6lkW2ciRSUX7QEXb6cD1rSWFk1uR9ZgtbCR+NJJpRHbaPZygruUkzT\/kAQPwxR9US1bI+tXeiLw1PxJeRutv4echk6waMRx6bmHB\/GkqEOsvxG68ui\/AZep45nhKTi6toxgRi4vIrce4IDA\/pVKnSXUTq1n5GdLo+pTuzT3duXOMYmluCPUfKpz+dWnBaIm82Ok8ORwwtLc380G4jAW3SNgB1AMjj+VPnvoiXTdriR6boe5la8uXwQdvnsSTjsIYz\/Ok3NPYSS7lix06zkJEGhuxL7g0tk7Z98yyY7f3afM+rKir7L8DWsLHVNu2K3W3Qc\/u2SIn6iJAf1rKbju2aKnN7IuJpFxLkXZibPHIaY\/8AjxbFZe1UdjVUn1LVr4QmmcLbxzynqAGESj8sUOs2V9WRqeGfA91q2pfY7KwsS4P72eVt\/lL3ycnpWUqrWrH7BG5478ZaZ4NtB4J8IzH7TdIyajqcCr5hO0navovb3qqd6rInJQR5r8J\/Dlzd3UOr+Iik00oWVIDyATggvnqfQdBSxLUE4wDDwcrTn1LemQfZdXmu2ZP9GlMgDEjaQxwTjoOOp4\/CiF+VNiqSWsUZ2spZzyyzri3kGVKBR9\/JJyPcgjPHQHGK6HC+xgpOKMDTHt7bVt06AwyY3gn7pByG\/A9fbNEZNbhOPNsbJt5F1RBa2qRO8kny794iYqPMUKRyu37oORhhjmtUZLVHEeL2mksJpjtX96DtAwBz0x2\/+tTpL3rhiVakO8Lzxy2YbbA7QAGSOTarkDgMrd\/mwCpHcVq9GckFdGvc\/bYXuLlGjLOdrxGYER5+6+ehBHA\/EUpyS1ZrGN9DFurGV7crJ9n2Nt3FXTJGeenNTGavoXOPundaDaEeFJr25WSNTdFFTbkLycADg5AA9KJPUiKskZjxQXmtDy7KZDCwbLuAoI\/jC4+6wLfMCeOtCTirlNXNfSfDWp22lIZNaMFtCjeWkSKg2N\/edsdqwddJ2RvHDtq70RLo1h4XvNQktVuftN2sW9pYmabywOAC\/AXJOOOafPUVm9EJwoxTUdWO1tdXsYYoNGGnykKQ0k0nMZHYKSRj8zV8tObvJgpVoxtGJhHSdZvJWuPEGsG4Un5LaGYhce5AwPwqnKEdIIhwqT\/iS+Qt2l9DCLe0+w21oGyYomIyfy5Puc1MGuZSluE4+44RWhzWq+G7u5uvPOpRMc5Pmktt+nAxXSqkFsjnlQqS3ZAuiSRXIeK7tkO4B2CsSwHtj9aXtlJbE\/V5rZo39WvnnTbJOjAcr8prmjC2x1uTsY2rSYaF7Vvmii2qcY9Qf0J5rppnNWOyvry6huJlgnmjcyHGyQggZ5ri5IuR6fNaJYXxBqKLsklE2O0yLJ\/6EDUyp22GndajY9RsJxi60LTZGJ7RGI\/X5SKlRl\/MHLF9C3YjQlYSwQajYyAEbrS9K4U8EDI6fjTknbWzRUYqLvF2LcNlplxFHHHrWpRhB+7SeHeqj0+Vvb0qHPuhqHmadnp12kWyx16wlDH5Umj2MT6fMvH51HNB9BpPubt0dfjuDZ61bW63Fsi7AGJMgwNvIOOmMVDsti4+ZHFqDpbBpdCuHjb7skallP44Ipeg3MX+2NN8l4rq3cBznDWsbbR6fwmpak2LmXUy9U0fwLqnmNMtnJvXo9s6sD9eRW0KlWOzJlGlL4lc57U\/hp4SuExYNZK0uVZWtkyvbhuDW8MZVT3f3mP1TDv7K+4zT8JYbOWOa0WwmeGQPGfMl4Ye24j9K0lj5yVmyY5fST5kvzLX\/CL6rZ3VxMbACS5l82QwzD5mIALYKjHAHArL20Gkmzb2Ti27aslFhqKJumjvVIPGIA4P5HNJSithpPqMN06fLLHIy5xl45kJ\/KiVmPmXUY1xaurMTCAB91nAP\/j60lz7MNCpI1nNNzaxMqjGEEZOfUlSKpJkOzJIdOt5IZPKicyRjcqGE4b\/AIEH4puUkx8t1oJDZQMx863mgZhy2+TH9e1S5NMOXuaNr4bs5EWdLibLAZ\/ehvoAGXipdaWxtGit7lefRNHF20cmobCMDbLJGB+GRzTjO2thOnG9rl218G6LeqTH4hRSeiPDGw\/RhmpniJR3iWqCa0Y4+AVilFwniC0QRsDiSBgvHrtas\/ri2UQ+ryTvcnuvB+oBCTfWs0Y5BUSAAHp3OahYmN9i5U5lUaHqUJYW11ZOUOBHHcvkD8Rya1VSO5ChNbFZ7DxMJWWO1uyqscbLpsAf1qlOnbX8hWq7IgmtPEnmjzYb9EUkAvMWx9aF7LyF+9vqhoTWLfckMsv3v+ehBx75HFXanJaibkhJTr8waOT7QVJx\/rgM+\/IFCVKIr1HoNt9O10uWWG7ITriWNzjsTmnKVPqyOWp2JTPrtmCZXvIwMgBgnPp0qGoND5qiFh1bxRGkZd5wrc7VCnHvxU+zoth7SqkTWV34nvpDG1ncOAD83nRqB9dzVo4wWzF7Sq3sbXhjwtq+syiXUtf0TwzYL\/rb3U9XhAT1AjQl3PsAPrVwocyv0OWti\/Zu1m32R6PY\/E\/wL8JfDlzZfC3T5fHXii5i23Ov37rb2ueyjJDFAf4EAzjlq7abo0Y2jueZWhicTL31Zdj3PV9V1TU\/2VL\/AFnUGi\/tW78HvdXBjQCMztBuOByNu7tyMV03i43PP5eWry+Z8o+G\/iH8aJoLGZ9YwpaAnFlZ4wWXPSH61wuuk7XPc+pJxbt+J9f\/ALamt694a\/Zw1nV\/DN4bXU47mzSObyFmwGmUMNrKwPHscV21NItni0IqVRJnzP8AC\/xf+0p4x1aXRvBXi3VJbiKI3LRJaRW8Magcl2aBVyTwB1JxXLGc3pE9SpQw8I80\/wBTI8Iana+DdVl8QN8O7\/xl41kvHk3azayRWGn3JYlgltGmZZN2eTtAP3QOtZqrSTvLc1nSrThywdo+R7TpPw4+JPxJ0w+Mv2ofHY0bwgmJo\/C9vP8A2dbsvUfajkbV\/wBklmPtXWnJq8tEeZN04Plp6vue8fCzUPB+ofDzTrjwHBaReGBG0WnR21qbeAxoxU7EIB2Eg4bHzdec5rWLT2Oaaadpbnz34ql0r9lr4M6tpHhy"}
 02486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136215384,"flow_dst_last_pkt_time":1654385136563855,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385136563855,"pkt":"nLbQ0+MztKXvZygQCABFAAXU7ZhAADYGaKmsaXlSwKgCfgBQtHgmuiQMUbJfToAQAOskjAAAAQEICsmhz1rytRrb\/9j\/4AAQSkZJRgABAQEAeAB4AAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIASICJgMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APvKRyGwMdB1UelMQm9v9n\/vkU7CuSBjjt+QoAXcfb8hQAbj7fkKAFDHHb8qADcfb8qADcfb8qADcfb8qAFBOO35UWC4uT7flRYLhk+35UWC4ZPt+VFguKM+35UWC4Z+n5UALn6flQAZ+n5UAVtWhW50y4gYAiSJlxjrxWNeHPSlHujWlU5KkZdmcx8J72WSwuLGbGYH3KCBkA9RXm5ZUvCVPsevnNJOUKy6o69T9Pyr1E9EeHfUXP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XAfh+VAXF\/AUBcPwFAXD8BQFw\/AUBcPwFAXD8BQFw\/AUBcPwFAXD8BQFw\/AUBcD07UBcQHnt+VFwuKenagLiZ+n5UXC4A89vyouFxfyoC4mcelAXGPMiDJKigGzH8ReKtJ0iBpLu6RcD7vVj+FUTzjvCGrLrGmLfou1ZeVDIAQM96Aua4PI6dfSgdx\/4CpHcPwFAXD8BQFzP8R3IttNlkOMbT2FY4iX7oZ4f4nk\/te7NpHLIhDE5XFfKSb7jLBkk0HSQQfMfgYIzWEm+5Ri+KPFcml6Wbt5cueQoArSg33JlI4mz+MAt70C68z96TtJTgVvyzkY+0Ox8H3V3r9294t0fKZflHpWclLuXF8wx9Lmg1G4+2TF4C2Qx9Kz53Hqanmnxtu49KvLe+tLx1ROCobHWuvD3mtzCruP8ACnxEvrqW1WB5JPNIXBXIFazpytqRTlqdh8OtY1q1+NWmW97bFY7xiI328fdNVg7e2SudB9H6PLINTuVJXqD9wcV9KSbIdsfw\/wDfIoC4ySRicfL\/AN8igCGSWUcqF\/74H+FSy48vUjiunMhBC5Xr8g\/woKlHsTPc4jJZkA91FBBxfjr4maLoKzW8UqXV7FHv+zxKpO3OM+lRKVioxueXL8U9bvrj7Vq2qWumWjriKGBVzuyeST\/s1nds2SsfRUv3\/wAB\/KutHKwoAkHSgAoAKAHDpQAUAFABQA4dKACgAoAUdaAFoAKACgAo"}
-01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1567,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136207603,"flow_src_last_pkt_time":1654385137102946,"flow_dst_last_pkt_time":1654385137455380,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":208,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":143010,"midstream":1,"thread_ts_usec":1654385137455380,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46170,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":73900.7,"max":895343,"stddev":189691.4,"var":35982831616.0,"ent":2.2,"data": [356191,54,308075,59,2442,3212,112,200163,56,36,29,26,27,25,1594,86,63,42,33,23,24,35,23,895343,371980,1,1344,81,1941,0,0,0]},"pktlen": {"min":274,"avg":4548.2,"max":21666,"stddev":5608.1,"var":31450230.0,"ent":4.2,"data": [278,387,13026,14466,2946,2946,1506,7266,2946,1506,2946,2946,1506,1506,1506,1506,1506,4386,6338,2946,2946,1506,1506,1506,802,274,387,17346,21666,1506,4386,17346]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1578,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":139,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1654385131029337,"flow_src_last_pkt_time":1654385137110902,"flow_dst_last_pkt_time":1654385137463937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":202,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":156844,"midstream":1,"thread_ts_usec":1654385137463937,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":60148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":481391.0,"max":4660887,"stddev":1215170.1,"var":1476638408704.0,"ent":2.4,"data": [306055,4848,325793,248766,4660887,4604216,364,552,841,1047,367664,134,94,2523,311381,119,1695,102,878348,204467,1564,1050,216537,375544,43,1531,0,0,0,0,0,0]},"pktlen": {"min":268,"avg":4999.8,"max":21666,"stddev":6236.2,"var":38890032.0,"ent":4.1,"data": [268,384,6298,268,384,5682,278,386,1506,1506,7266,2946,5826,2946,10146,2946,1506,5826,2946,1506,8706,1506,5768,277,386,20226,21666,15363,278,387,2946,21666]},"bins": {"c_to_s": [0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17]},"directions": [0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1600,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136215384,"flow_src_last_pkt_time":1654385137106944,"flow_dst_last_pkt_time":1654385137800355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":424,"flow_dst_tot_l4_payload_len":219741,"midstream":1,"thread_ts_usec":1654385137800355,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":91723.4,"max":891560,"stddev":199830.4,"var":39932170240.0,"ent":2.5,"data": [348410,61,2586,311307,74,1916,87,90,200152,34,703,82,83,49,891560,375934,1624,82,2179,1527,332757,94,46,1896,46,1564,1588,0,0,0,0,0]},"pktlen": {"min":278,"avg":6946.2,"max":21666,"stddev":6776.1,"var":45915728.0,"ent":4.3,"data": [278,386,1506,11586,1506,4386,2946,13026,7266,1506,1506,1506,1506,2946,2946,1506,4605,278,388,21666,2946,10146,11586,17346,7266,18786,5826,20226,1506,10146,11586,21666]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1567,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136207603,"flow_src_last_pkt_time":1654385137102946,"flow_dst_last_pkt_time":1654385137455380,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":208,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":143010,"midstream":1,"thread_ts_usec":1654385137455380,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46170,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":73900.7,"max":895343,"stddev":189691.4,"var":35982831616.0,"ent":2.2,"data": [356191,54,308075,59,2442,3212,112,200163,56,36,29,26,27,25,1594,86,63,42,33,23,24,35,23,895343,371980,1,1344,81,1941]},"pktlen": {"min":274,"avg":4548.2,"max":21666,"stddev":5608.1,"var":31450230.0,"ent":4.2,"data": [278,387,13026,14466,2946,2946,1506,7266,2946,1506,2946,2946,1506,1506,1506,1506,1506,4386,6338,2946,2946,1506,1506,1506,802,274,387,17346,21666,1506,4386,17346]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1578,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":139,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1654385131029337,"flow_src_last_pkt_time":1654385137110902,"flow_dst_last_pkt_time":1654385137463937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":202,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":156844,"midstream":1,"thread_ts_usec":1654385137463937,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":60148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":481391.0,"max":4660887,"stddev":1215170.1,"var":1476638408704.0,"ent":2.4,"data": [306055,4848,325793,248766,4660887,4604216,364,552,841,1047,367664,134,94,2523,311381,119,1695,102,878348,204467,1564,1050,216537,375544,43,1531]},"pktlen": {"min":268,"avg":4999.8,"max":21666,"stddev":6236.2,"var":38890032.0,"ent":4.1,"data": [268,384,6298,268,384,5682,278,386,1506,1506,7266,2946,5826,2946,10146,2946,1506,5826,2946,1506,8706,1506,5768,277,386,20226,21666,15363,278,387,2946,21666]},"bins": {"c_to_s": [0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17]},"directions": [0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1600,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136215384,"flow_src_last_pkt_time":1654385137106944,"flow_dst_last_pkt_time":1654385137800355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":424,"flow_dst_tot_l4_payload_len":219741,"midstream":1,"thread_ts_usec":1654385137800355,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":91723.4,"max":891560,"stddev":199830.4,"var":39932170240.0,"ent":2.5,"data": [348410,61,2586,311307,74,1916,87,90,200152,34,703,82,83,49,891560,375934,1624,82,2179,1527,332757,94,46,1896,46,1564,1588]},"pktlen": {"min":278,"avg":6946.2,"max":21666,"stddev":6776.1,"var":45915728.0,"ent":4.3,"data": [278,386,1506,11586,1506,4386,2946,13026,7266,1506,1506,1506,1506,2946,2946,1506,4605,278,388,21666,2946,10146,11586,17346,7266,18786,5826,20226,1506,10146,11586,21666]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385139579809,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":887,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":887,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":887,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385139579809,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"103.29.71.30","src_port":35200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01715{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_packet_id":1,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":953,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":953,"pkt_l4_len":919,"thread_ts_usec":1654385139579809,"pkt":"tKXvZygQnLbQ0+MzCABFAAOrd4dAAEAGTmTAqAJ+Zx1HHomAAFCgxdnYmdL2h4AYAfZ0\/wAAAQEICoGE\/JiYFaLeR0VUIC9jLzM1LzEzMjc3PyZfaW5fYXBwPWthbmthbiZfdWRpZD1lNmRiZDMwYi0zYjg0LTQ0YjQtOTc1MS02MzExNDhhM2VkZTkmX3Y9Mi44LjIuMSZfcGFja2FnZT1jb20uc2NlbmV3YXkua2Fua2FuJl9tb2RlbD1zZGtfZ3Bob25lX3g4NiZfb3Y9MTEmX2JyYW5kPUdvb2dsZSZfYW5kcm9pZF9pZD1iOWUyODc3NjM1NGQyNTllJl9nYWlkPTVhYzZhMGZmLThkMTgtNDdiYy1hOTAyLTI4MTJjZjBjMjUxZSZ0PTE2NTQzODUxMzYmXz0xNjU0Mzg1MTM3OTY4Jl9jaGFubmVsPTFreHVuJl9sb2NhbGU9VVNfZW4mX2NhcnJpZXI9MzEwMjYwJl9yZXNvbHV0aW9uPTEwODAlMkMxNzk0Jl9haWQ9NWFjNmEwZmYtOGQxOC00N2JjLWE5MDItMjgxMmNmMGMyNTFlIEhUVFAvMS4xDQpIb3N0OiByZWxlYXNlLmJpZ2RhdGEuMWt4dW4uY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjkNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuOQ0KDQo="}
 01563{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385139579809,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":887,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":887,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":887,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385139579809,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"103.29.71.30","src_port":35200,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"release.bigdata.1kxun.com","http": {"url":"release.bigdata.1kxun.com\/c\/35\/13277?&_in_app=kankan&_udid=e6dbd30b-3b84-44b4-9751-631148a3ede9&_v=2.8.2.1&_package=com.sceneway.kankan&_model=sdk_gphone_x86&_ov=11&_brand=Google&_android_id=b9e28776354d259e&_gaid=5ac6a0ff-8d18-47bc-a902-2812cf0c251e&t=1654385136&_=1654385137968&_channel=1kxun&_locale=US_en&_carrier=310260&_resolution=1080%2C1794&_aid=5ac6a0ff-8d18-47bc-a902-2812cf0c251e","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
@@ -853,7 +853,7 @@
 01207{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1658,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385141046673,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141046673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":426,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":426,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":426,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385141046673,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.79.37","src_port":41390,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Google","proto_id":"7.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"google.open-js.com","http": {"url":"google.open-js.com\/doubleclick\/ca0ecde2.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
 01137{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1659,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_packet_id":2,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141075345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":520,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":520,"pkt_l4_len":486,"thread_ts_usec":1654385141075345,"pkt":"nLbQ0+MztKXvZygQCABFAAH68DMAAPgGrD4SQE8lwKgCfgBQoa4lNEsiAYFa4YAYAIOtmwAAAQEICtL8K4OmALBISFRUUC8xLjEgMjAwIE9LDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2phdmFzY3JpcHQNCkNvbnRlbnQtTGVuZ3RoOiAxNDcxDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDA2OjE4OjEzIEdNVA0KTGFzdC1Nb2RpZmllZDogU3VuLCAyNyBTZXAgMjAyMCAwOTo0ODo1MSBHTVQNCkVUYWc6ICJmZGI1MmNiYTkxNGQxMGI3NWI2YTY2ZmQ1NzVhZmFkMCINClNlcnZlcjogQW1hem9uUzMNClgtQ2FjaGU6IEhpdCBmcm9tIGNsb3VkZnJvbnQNClZpYTogMS4xIGI0ZTZhMTMwMWExMTQzOTM3MjMzNGFhMTRmYjdkMzEwLmNsb3VkZnJvbnQubmV0IChDbG91ZEZyb250KQ0KWC1BbXotQ2YtUG9wOiBUWEw1MC1QMg0KWC1BbXotQ2YtSWQ6IGM4c2hiWWJFVnhFWWhjaEN4c1d5LUVhTDNiYzl2V3g5aUl5clpkVFEyYjVfeXZneTlRdTBNUT09DQpBZ2U6IDYxNjQ5DQoNCg=="}
 02437{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_packet_id":3,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141075345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1494,"pkt_l4_len":1460,"thread_ts_usec":1654385141075345,"pkt":"nLbQ0+MztKXvZygQCABFAAXI8DQAAPgGqG8SQE8lwKgCfgBQoa4lNEzoAYFa4YAQAIPvVgAAAQEICtL8K4SmALBIZnVuY3Rpb24gaGF2ZVNjaXJwdCgpe3ZhciBhbGxTY3I9ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoInNjcmlwdCIpO2Zvcih2YXIgaT0wO2k8YWxsU2NyLmxlbmd0aDtpKyspe2lmKGFsbFNjcltpXS5zcmMuaW5kZXhPZigiaHR0cHM6Ly93d3cuZ29vZ2xldGFnbWFuYWdlci5jb20vZ3RhZy9qcz9pZD1VQS0xNTQ3NTc5MjktNTciKT4tMSl7cmV0dXJuIHRydWV9fXJldHVybiBmYWxzZX1kb2N1bWVudC53cml0ZWxuKCIgPGRpdiBpZD0nZ29vZ2xlYWQnIG9uQ2xpY2s9XCJndGFnKCdldmVudCcsICdPbkNsaWNrJywgeydldmVudF9jYXRlZ29yeScgOiAnYWRDbGljaycsICdldmVudF9sYWJlbCcgOiAnY2xpY2tzdWNjZXNzJ30pXCIgPiIpO2RvY3VtZW50LndyaXRlbG4oIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0Jz4iKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfY2xpZW50ID0gJ2NhLXB1Yi00NDAxNTQ3MTc4Mjc5NTA1JzsiKTtkb2N1bWVudC53cml0ZWxuKCIvKiBha2VtYW5nYS5jb21fQUtfMzIweDUwXzIgKi8iKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfc2xvdCA9ICdha2VtYW5nYS5jb21fQUtfMzIweDUwXzInOyIpO2RvY3VtZW50LndyaXRlbG4oImdvb2dsZV9hZF93aWR0aCA9IDMyMDsiKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfaGVpZ2h0ID0gNTA7Iik7ZG9jdW1lbnQud3JpdGVsbigiPFwvc2NyaXB0PiIpO2RvY3VtZW50LndyaXRlbG4oIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9Jy8vcGFnZWFkMi5nb29nbGVzeW5kaWNhdGlvbi5jb20vcGFnZWFkL3Nob3dfYWRzLmpzJz4iKTtkb2N1bWVudC53cml0ZWxuKCI8XC9zY3JpcHQ+Iik7ZG9jdW1lbnQud3JpdGVsbigiPC9kaXY+Iik7dmFyIGhhdmVTY2lycHQxPWhhdmVTY2lycHQoKTtjb25zb2xlLmxvZygiZ29vZ2xlQWRzOiAiK2hhdmVTY2lycHQxKTtpZighaGF2ZVNjaXJwdDEpe2RvY3VtZW50LndyaXRlbG4oIjwhLS0gR2xvYmFsIHNpdGUgdGFnIChndGFnLmpzKSAtIEdvb2dsZSBBbmFseXRpY3MgLS0+Iik7ZG9jdW1lbnQud3JpdGVsbigiPHNjcmlwdCBhc3luYyBzcmM9J2h0dHBzOi8vd3d3Lmdvb2dsZXRhZ21hbmFnZXIuY29tL2d0YWcvanM\/aWQ9VUEtMTU0NzU3OTI5LTU3Jz48XC9zY3JpcHQ+Iik7ZG9jdW1lbnQud3JpdGVsbigiPHNjcmlwdD4iKTtkb2N1bWVudC53cml0ZWxuKCIgIHdpbmRvdy5kYXRhTGF5ZXIgPSB3aW5kb3cuZGF0YUxheWVyIHx8IFtdOyIpO2RvY3VtZW50LndyaXRlbG4oIiAgZnVuY3Rpb24gZ3RhZygpe2RhdGFMYXllci5wdXNoKGFyZ3VtZW50cyk7fSIpO2RvY3VtZW50LndyaXRlbG4oIiAgZ3RhZygnanMnLCBuZXcgRGF0ZSgpKTsiKTtkb2N1bWVudC53cml0ZWxuKCIiKTtkb2N1bWVudC53cml0ZWxuKCIgIGd0YWcoJ2NvbmZpZycsICdVQS0xNTQ3NTc5"}
-01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1703,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":146,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385140171515,"flow_src_last_pkt_time":1654385140959776,"flow_dst_last_pkt_time":1654385142015753,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":424,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":765,"flow_dst_max_l4_payload_len":8640,"flow_src_tot_l4_payload_len":1625,"flow_dst_tot_l4_payload_len":79973,"midstream":1,"thread_ts_usec":1654385142015753,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":331,"avg":84919.3,"max":408625,"stddev":132393.4,"var":17528006656.0,"ent":3.3,"data": [380392,4573,408625,215737,457,986,1014,178521,331,482,379636,185383,1426,654,331743,5741,174159,6079,334,924,170502,413,6008,1070,341,710,169481,463,585,5307,422,0]},"pktlen": {"min":490,"avg":2615.9,"max":8706,"stddev":2200.3,"var":4841425.0,"ent":4.6,"data": [831,1506,1267,502,1506,1506,7266,4386,1506,1506,2518,490,2946,8706,1506,2946,8706,2946,1506,1506,7266,1506,1506,2946,1506,1506,2946,1506,1506,2946,1506,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12]},"directions": [0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1703,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":146,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385140171515,"flow_src_last_pkt_time":1654385140959776,"flow_dst_last_pkt_time":1654385142015753,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":424,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":765,"flow_dst_max_l4_payload_len":8640,"flow_src_tot_l4_payload_len":1625,"flow_dst_tot_l4_payload_len":79973,"midstream":1,"thread_ts_usec":1654385142015753,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":331,"avg":84919.3,"max":408625,"stddev":132393.4,"var":17528006656.0,"ent":3.3,"data": [380392,4573,408625,215737,457,986,1014,178521,331,482,379636,185383,1426,654,331743,5741,174159,6079,334,924,170502,413,6008,1070,341,710,169481,463,585,5307,422]},"pktlen": {"min":490,"avg":2615.9,"max":8706,"stddev":2200.3,"var":4841425.0,"ent":4.6,"data": [831,1506,1267,502,1506,1506,7266,4386,1506,1506,2518,490,2946,8706,1506,2946,8706,2946,1506,1506,7266,1506,1506,2946,1506,1506,2946,1506,1506,2946,1506,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12]},"directions": [0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385142293700,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":517,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385142293700,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"119.28.164.143","src_port":51888,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_packet_id":1,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":571,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":571,"pkt_l4_len":537,"thread_ts_usec":1654385142293700,"pkt":"tKXvZygQnLbQ0+MzCABFAAItm2FAAEAGvpfAqAJ+dxykj8qwAFA1Ocr3U6+amlAYAfbg8QAAR0VUIC9xem9uZS9vcGVuYXBpL3FjLTEuMC4xLmpzIEhUVFAvMS4xDQpIb3N0OiBxem9uZXN0eWxlLmd0aW1nLmNuDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpJbnRlcnZlbnRpb246IDxodHRwczovL3d3dy5jaHJvbWVzdGF0dXMuY29tL2ZlYXR1cmUvNTcxODU0Nzk0Njc5OTEwND47IGxldmVsPSJ3YXJuaW5nIg0KQWNjZXB0OiAqLyoNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NClJlZmVyZXI6IGh0dHA6Ly9tYW5nYXdlYi4xa3h1bi5tb2JpLw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC45DQoNCg=="}
 01226{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385142293700,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":517,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385142293700,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"119.28.164.143","src_port":51888,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Tencent","proto_id":"7.285","encrypted":0,"breed":"Acceptable","category_id":6,"category":"SocialNetwork","hostname":"qzonestyle.gtimg.cn","http": {"url":"qzonestyle.gtimg.cn\/qzone\/openapi\/qc-1.0.1.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
@@ -892,7 +892,7 @@
 01280{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1835,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":162,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385146284849,"flow_src_last_pkt_time":1654385146284849,"flow_dst_last_pkt_time":1654385146284849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385146284849,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49396,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/00dd6bfe750c02c8d10d7112d143f322.jpg?format=webp","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
 00909{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1836,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146253018,"flow_dst_last_pkt_time":1654385146458654,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":351,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":351,"pkt_l4_len":317,"thread_ts_usec":1654385146458654,"pkt":"nLbQ0+MztKXvZygQCABFAAFR8fdAADYG95QOiIhswKgCfgBQwNwlgdAMRlWmyoAYAHrh2AAAAQEICpoJIgUeulbiSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjkuNy40DQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI1OjQ2IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogNDU0MjYNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkFjY2Vzcy1Db250cm9sLUFsbG93LU9yaWdpbjogKg0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0yNTkyMDAwLCBtdXN0LXJldmFsaWRhdGUNCkV0YWc6IDhjZTAyMDA1YjJiYjVmYzc5Nzk1NTc1NmIwM2EzMTk2OTI2ZTc5OTYNCg0K"}
 02472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1837,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146253018,"flow_dst_last_pkt_time":1654385146460775,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146460775,"pkt":"nLbQ0+MztKXvZygQCABFAAXU8fhAADYG8xAOiIhswKgCfgBQwNwlgdEpRlWmyoAQAHoGUwAAAQEICpoJIgUeulbi\/9j\/4AAQSkZJRgABAQAAAQABAAD\/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL\/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL\/wgARCAI6AbIDASIAAhEBAxEB\/8QAGwAAAgMBAQEAAAAAAAAAAAAAAAMBAgQFBgf\/xAAaAQADAQEBAQAAAAAAAAAAAAAAAQIDBAUG\/9oADAMBAAIQAxAAAAH20E27BKcXAViJSJBAEhBIEEgQTAAAAASAAAAAAAAAEBIQABEwAAAAyCYGXpdICAoRFNwtkoAAADMSVVpqBeaXSmYkJglIAAAAAAAAiQIAAACQAAAAAAAImAAAgAABsACAAi1YGypYShsBVi2AAJAAJku6gAIJgVglBICAAAAAAAAAAgAAAcgCAAAAAAAAgAZEwAAwCBkTAAAXiRKCQIiasYAkAAq1B1ciQkiUiQCQBAAAAAABHBH348TWtPcnj9iXpIw7lmTAEkASEBIAEEBMEDkiQAGETA4JhhEwNkrvMyAKKMAraoOxAJQSXF5kmJICQBSRIAAAQArL5Z36Hy8UrVkpqnoEMlN24W0\/TdLxXUM\/QCrTncBkkCArYAAK2i4AAilwFgOiJhsYu6VgFIAAAFSQdLxISRIiJAgAYRIAAhDvOu+bnfmvalJnNLC0l73E50VemP06LGdLmaDHTMFRNYhVM0AZFAGXWwkAEABQtI6xcEsut0yVXSsQCkqAANzMSkAAABAAQEDkgDJx9ua+jJze9zsq519KVKk70Bo0q68vDsTtTZsyJvLSitdH1LZdyzXVoJJaiqSJCzU3aYRJESQEgABATS9BzathAAUtIAABS8BJEgAARMBWsVm2Cl5vi51ZuvXsZs6OeujmqhJl8+0EdHLzxdsy0Vb6VRS06eXq3XR3cdyXUbyHzPQSWUMtFiIrcCs1sOYkEEASRQL0IKm6wGi2EgAAAAABEgABEAmjO859smtLOd8Tgex8t2Oin66M1LXQ7fRjVuNtYGKurTNb+DdjWXdk6+tS1kiH00KJvS7yU9Kh7SkTM2rcABorMIraYHUuAuGwOrKWFIDQAERMBYACllywqK0VJ59Zipkq+V9Hy9aw9Hg9zdc\/cnWFc3cuLjdXXLha9EVOLVtTFchtdlbVcqHLWKq52JSM0rpWk1y2ZpjEtM5iQUQKG6c8g8iWgAAAKlqp2AaAEAAVVaYqqyiay9I3lWnm4Y35dF6Y85kG\/V1nZ7D7LaNvJ1IkmIlI9QzKHP6GbU7vlalCmMzFWOe51pbldoty\/PRz8nrZRY1dKm1Nc2rM3MQsvS9LjMCGpAAiRFCwnIQKaTWXF8T875PN9BzFzu6eZuWxOc59mY9nzek7Z5Pf62Xsehg6OO+jdzdTjUp81mi12p05QmtHQvzFHouj571riMHUiJ8L6LozpfMs6ueuO\/RRyZ6KL14WuSvTjpztX0XOhLRXuBkRMBJEgRMIAAirKjOb0M0JDVO4OpiNGYiZglr5mPwnXHtfEev5\/ZHFZW+uXa9X8899ydeyVsmk78yrO3l4TKizC12uvRaRl6VHrOVO5SOrWrSedn043vszp6EMqhvltiTjdHL3bZt\/bqW52up1zUUWiLAABEgAAAhvmonZbkXjLqP4PoODsrMmzeWjuyfhnx7fI9f4\/ezkJ9r5O4zd\/hQV73fxup5fdptTJtz8HteD9h1PoRJVM3YcBHpb5daxVj6VVVGHFaTqwdA6cet2ZnUwQ2Y5ufqomNbsuvTNkRZKbiE9FkXBgAokoFgAXz+qJebyeiwxlye4\/NehpQ96Oz05uW3ksvs\/"}
-01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1846,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385145219802,"flow_src_last_pkt_time":1654385146051643,"flow_dst_last_pkt_time":1654385146466639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":1052,"flow_dst_tot_l4_payload_len":96620,"midstream":1,"thread_ts_usec":1654385146466639,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49354,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":360,"avg":76988.1,"max":831841,"stddev":179465.8,"var":32207955968.0,"ent":2.4,"data": [207030,367,1074,749,203546,401,538,843,360,1168,622,204026,463,1910,808,831841,413644,1524,1634,381,916,201620,415,562,974,897,365,0,0,0,0,0]},"pktlen": {"min":351,"avg":3118.2,"max":10146,"stddev":2492.5,"var":6212617.0,"ent":4.6,"data": [592,351,1506,8706,2946,1506,1506,2946,1506,1506,5826,4386,1506,1506,1506,5826,2946,2946,3956,592,351,1506,8706,10146,5826,2946,1506,1506,2946,4386,4386,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1846,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385145219802,"flow_src_last_pkt_time":1654385146051643,"flow_dst_last_pkt_time":1654385146466639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":1052,"flow_dst_tot_l4_payload_len":96620,"midstream":1,"thread_ts_usec":1654385146466639,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49354,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":360,"avg":76988.1,"max":831841,"stddev":179465.8,"var":32207955968.0,"ent":2.4,"data": [207030,367,1074,749,203546,401,538,843,360,1168,622,204026,463,1910,808,831841,413644,1524,1634,381,916,201620,415,562,974,897,365]},"pktlen": {"min":351,"avg":3118.2,"max":10146,"stddev":2492.5,"var":6212617.0,"ent":4.6,"data": [592,351,1506,8706,2946,1506,1506,2946,1506,1506,5826,4386,1506,1506,1506,5826,2946,2946,3956,592,351,1506,8706,10146,5826,2946,1506,1506,2946,4386,4386,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 02483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1850,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146470951,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146470951,"pkt":"nLbQ0+MztKXvZygQCABFAAXUjohAADYGVoEOiIhswKgCfgBQwQSWIbNSmarBiIAQAHrnQQAAAQEICpoJIhIeulb6KGbrQ9NgAoPeIQXK8aNsRvWmWOG2+mJUfVc1tOfBUFm08iHXJpNv2Owf5\/8LnH1ete7iHIgeIQ+NvC5\/VL\/aRL84vFpH3hpuKGie89N\/ltwx+Jf3dMlyw07W7lY\/ANl1EAJvmqFKZxvNP\/7dp2qkMzGNaCj8Doc1sJJRQQ+ao9WYQoMiZ2FUxVUX6mhkQjNYtI4Xmy+wKkhyEHukERva96HY\/dXbvojGVj3HwIwCL7Uu4KCXJCOxCdfzRsyBCPbX85Xo3\/0i+EMzczsTrgKFypwzGJAzBLllK8mrlen1AbXKws\/iFuX9EFW9oTIIiG0ZW4bG5oE4h95E6fNS8I4kaDxPobJq1QBkoPqrtXoiEHjpKULTrft3zYnFpDwQu2eTvwy15CQ2tec5f5m1CtyPkJ8oKSdO\/aLi94jceiOZXraTb6+VbZVTT5v7KqPOtYsl8CgtLKBY9Ot78tCrSByNPAMDNF2pyABksBqbgNk+1a0f6z45tFT7oVWfhgbXl\/on\/kQ2tjjIKII+MrdKpU\/7Pps04g33RP6S4I8ga81Yz5R07ZIyJT6iuback6Gsu\/EUAaiVehLWhou34+zaMkfX4oW8nsmfVHl1TpepxDvzCEYnOi4OxvRscjYz8+bDhvRI9oB6DKa80JOZpGqnO4SIevnAUQte4KcbZKPz6qauxFKMjOPb+Fi92JZNBzuBuVci4AUSISUJZ9pDO344tYqlcxAnz5Lub9aL3azUFNTDSxweDEjd8pW4pwan1wijpkqLHf0vi8uNupO8FH0kib57l4ZodhscgY1lQi\/YP8qhWC\/Ub1YGeDcgEMSVmhxKOxrRmEMxZJH0\/SPVC1Q45KguC3L2a2vUkm\/rWbFirVKvRVj2Z6smUDwqdOzzvBk383pjRzwKiZn+50Qqi6vXyDKsGTAy7P8x6VRpnIzzPW60jAuNOX3Z8JKsQSoQbU7WWYxRsEMq2vDpEdVZDnVZhQNpQTkqwDBMcvnxKwGz371ROj3c1NoOOfCqOGX6dcQUiRIk77k05t4r7lBDoi3JaCOltfNkcyuik3r+d2D8rJRDa0aEaUWI7HzkzGE5xCg05dBJQ+GbxLjA+7YlokrbWDOVI5+7T2BJvj5Z2gSS4bQyr5V6clNZrOF9yEP7TY6KekfQFoBuQkiruOmgQDE3GJilpZpNsJut4YIT7F0OaRSKrHaXWfoS4Pjff1AtIHgB\/bHOLbEtnRDxHNLviswASL0Q8jLLlz3TRCqT8v4o7cRzUn+2eKJxSTko0F7LWInRcpNe9+Y+33MXMVaDAOeHkemly1HrRGPpJskPnYelD9BE\/N2ZrEmqz0vzx+lyA9i46mr4QvLytJqjP9O\/HSqlA1Kx9fxOAXNcAxSgUCEYxWhNuKuqJnLtxuQZR208YZRatEdYzf9DdIBrZeDV9KCfxPH6XHmKZM6Tw3RIrVgIvV1ORu9gNP4ZxWngguwIFKkqm\/QJwvcuq8ge\/\/zWwxnlXlHBvEJwP5OtKAK0XftE6rJHP2e+bJbxwmb93eYXIbhGdyhKZmqch04CLGO8ZQspqifdGuUIlfUuJjFC7hqacsNLSVicuPJzBOyU2NXprEYWc\/OZbxibYqlUXx1QnIHQ5VZlumABcc0\/1T3FfnECTGn8GRjjkVVUZpIueMMQIx3l8RzJtDm1\/VpZNOhOyDZV1UCnbO7S2SykG2XtX4RCuY7OXA8IZ2JnjkHuxMay4A3uSWOFpP5WNNUcHjze\/bYJSsUoGQ\/ieU17tPeq+kN+I0skTj9BNmaip64x8FfSWbU+sFOV0QwBozGD+Lr+4Fx7eGgUibMhfEp33ZyZZa3ve8AZrylaG4wCMpTMxS0GbDni7A5CuyPiGXxt+Ero\/x3NbA0EZstWz0F5lDlbQrK1AfXK7WKby1kb1HGIl\/BAQCaQBP6s"}
 14193{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1851,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146472685,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":10146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":10146,"pkt_l4_len":10112,"thread_ts_usec":1654385146472685,"pkt":"nLbQ0+MztKXvZygQCABFACeUjolAADYGNMAOiIhswKgCfgBQwQSWIbjymarBiIAQAHqBoQAAAQEICpoJIhIeulb6tgJjnFx8hVIwXR4iVS\/qWz5n+Fxjae7ZlUqBpnRyPdUMUd+QilKzXl7OrNKxG+xfS7TEH288LHzxu8ZitSenHMt52H\/QkEpV69+4AxmflPbcyhYuNqtaP02igUNEXeHnE\/ugkiQLtQdebb8RWtY9VsgDPz9GUtPkZLj16g263T23juO9fsws38GXyF\/QUkl47exxYxCkNwjcpk2rfKmm3nQg7N6W0jqeFp1mCVWfSdnf1Y7Ic0aAspDn0dYX7ERrxAbYuaTLxEKrjn9xjqvkkkgS5vTMQo\/QuHb23Cix7tuT4Z1trzTW8hydtgFvdta227DotNH3yGBi4f+L\/4sXuucsl\/ZYz2EwWxq5jcSLqELfJHxFWvLyS92f\/OP922wdIMEUfGBrUGM\/B3JtuZ3WiM5qe4JQxMfqsdaQSk4KNPI7lDEQlXw1h0iteFlx\/\/sbXUFb7a6zxAGqKLOfVJ8nwgmuJ2JJ7a50wGQcZ5nLknIFyLr5KlKTMbvqLWFs2LMvOv6V3ngFYSqCpTCGvq3EMOwjXIRIIPG0xirKad\/WrPQ8qnK75ee\/4IVUZVYuQzRd7olXfWjNWoMU2XKEWOHVqY0lXpUYEDS21smZjZOKOEbaDcPJR3IR2tSF8v7lmhDnC7A1Q\/ZMUecW1YHLZoxctM+TtOWZT+8NOrxJea3YCm9Yx1kAaAeNlJkXZxTsZx9fiGRUsKJUp87laAJvDIbOMmd8r1aoYTkTFmU\/sSJ8mQf2rPRf1eOXfHgrWYTr5hLNs7M38fDRwMZyvGfVF9JaZJr7oby8iyXNXc7zTY2L\/7mbvHkCPWlgDez3Db3GmjmR1B4zzKCnOT+ig1lwwIJo1WP+cxiw7N2K9r3vspvR5Vcuvuh7tgHpWqmAWhI6fetLr\/c2Vl0iiMIIre8vZpLEHW\/nohVeVVUderzf2dVhF2EtWAMquqz+sXVK0WGqetxa0ic3Oqtaq26N2z5MTbOtJmKxpBzaXCwnIzJfbkvT7NrL2Wy0YeTpBNp\/qObq5eeNpmjp1rcehffZdHdR\/PROFB3yNO91UKg3br6J36EchQjn+HHAfILGeZwZXM7g1tOqRvHe74tZLlvy11rPmfX1clEcNLCqdrXEZs6S1hXdICGrhpqkYawHpcEPmYXJpM3IoQIL6\/UfuOmin8lEdLYY6JkRJggUKNF3GopOMtqlw7cN6WYvnHBpqPv+d126Z4G+wSDqysaWGFBAN5NvcQbJbC6Ll61fYucNIkqNOL0YpI0ckzNHkzp7ppuY8oO9Fo0pVc\/ohgagsAS706RZzqtBM771ss7i6ivGHfRBZEjjDIPKsv2Sde9W91iB5ZG1lvOyoiXq+e07SLSxfFtviLdcctt4TbAeowmTgePDz0y3L9AurZZjU4HIorixz5KJ77M2+G+AlWnTOSYKMX0u9tKolMpL1eyCxnoAOfARlh5LFdSrBlImUb8\/QcBlj5qeZRDZQU0B+EzmE+arAHNjN51kGTW6D7VQMJR7u4gZ3CgkHpJn92AK61mPx3iPbbQMIpDgyBDREkqY+81rw9F+VEBGuxGn2OHvqi\/vOzeKm9iM0LloHBhmNL2zynkkneVPICTPD5SM+wMcfYdktvf7olC7djwltDQ1vQJ\/I6RAWfvx2ILm38PTiTvZIBEmYnoBQhOQ0E9Tb4QLfGTKne4btkpduZDgVkqDxDm78xzn71taOI7rLMzMH0SBU\/TziyBk+2oShCxYgmdU0iKDT8r46zjZTZS6v8mEtsdjmBbH7cPpyTT7gKEtnM8zptXWSIhlVykpGlFGFVQescLnpMRvIoRiJxd6HY25i8Q8badO8aZYOw0ti21cGDZu\/crSHqlLbfNys9iM3fwPZY8F2upWh4BROkh4t+NK7aItRWXKGLcjiH8o43WjkrzjhZ62eQB5Wlcc+8CD6CzKirazoV4LzmmyoNOd79K6CEyxZs7LfkoWUz13vIVl5saV+gwv\/uDP2Ytl2FPCGdgA\/v6tuERAYkXOh8gIh1RlzkPREpEf18veddCRJ8z6MI1K9LoTela\/e9o2mTY2e78QaKnXoqh+gJEKGbQQuqA2rJhJstN3uX\/EaXiA2PLbbBotmQW0YcCmKQgJE\/mvmHOw1Qun\/4swBH6823HVEWmKBvS0oVgAqI74vcVeVMBLwWco9z3HlrXT3tEaneofEZozkE7cn9vQB9DnL+4knS9sv3ucRAaCXIaxI7xyr3FbUUZ5Rzhe0H\/cYTVgieCFjpL\/MHbGwM8eU85\/OtgxMEUVvx+FYdQ\/Xus4ZI3uf5Sccum7RwRDv8sIndEhRGPvW6LqHIsTfNccr79CHKeIR7FkuijEUaO\/OqYmPbzQ9YkqFMB0+Tu2de\/pxeyvudZ\/WVSNhP43OsfPzA72r+zg5t61EFhlrL5bWOOEBWzBkPF1I8X818Sf5\/376K5qlegKQkwXbKRdlJ+dBlPBuUql1J0vaDbHbdtkri1pYwK7wgzini332ipIKeGOeTt5wWKs\/UJc8BSkGmhIG8Xe4f\/NsV5rrZCacV9nG2hTZxgeB0tylrutu\/sCHQNDsVGkcvI3gBB3q\/0vTOgej\/JcQ4b1+hotEGJylJ+eyNmc8vorXCiSHXRHzvzK6jk4pp+0UjXNTxLiHVg4qUFAuiZDIaFzX4O6D8VhmHlbVkYqgJqOX\/uGR2w48wcRx9Vc808nXu61mwFTYRoiQq6\/ejhNCo1BFujUS+hAxzQetpO\/K5aXDdT5Q4tardwiCey5R\/S0MvN5lfkF6zaPhPSYKgg\/PVYZCAciZA3MsJgF49NaKBsik5yEhsb0fgHIH4GeJ4dVGypxdg+2R4daILk6+rl5UnRJPB7824ueIIesQbwA0lA8APOM9i8n2eIOONbuW4Fch\/s9RoyFD0e4YfBpbfMeHceRyVw\/U8NAA5miKE7gJ9GuxC\/pLi8D+krZcFlG5qjZxha\/2jvFLl0bUDdodexooW3iKcNN3NfGh0KXY0d1erClHiGv\/E2Ibb5QUKKhz1HCVfievXCuKd+iXQXwtn5XRQBAaoXdqYslwAQowDTy2gnBMtD6ROBrw\/dyxwRv6sH1TAiCU27nx40639\/Kn+\/kwQflJnb5sjgxAjt821QivnJMxkYJXQSes9hrIx1+nbdW5JwYP22DoX\/Iaf70c5QuYAq3SeuASr+5zuspK2w5qYnsSROZDDRK1QTlHH6uPedRlv9zXiHIQFrgkR2ksd74RBk+t2ovUESSY2bLpgp8wt6Rc7avWpejX4lK\/vTU+HrSv009gZNULrkFU9\/s6bchhE7dkLoaS9\/GzcGhWo3CsP2t0nCGb\/Td2B4xrEPMjPUmL4ec+Izyi00UCIQHdfHsIo6Yd9+hdY7bTkFVVpPGwAIAMYFlXoP+4dIvcw0SwDKskFVWrE53M6bGPKkMA9fESSRf2TnVsJt15VCvXBWWkgs1da5ZsxB8Hxz\/dYLjutOpGakDlN+mjMre8L7PKV4IjOXfFHcklueZlHFfMiKOoAxAnQsxhugdCoiNxI4bCX\/geE0qtc5uywOU\/zahO8RvxDDLxVByl6CpsYll7DpRqay8ia0LpurHZOx2CQoD15zpPDCwpCtrdWUoyRdrGsxmrJ2BOXmiQvThstJVPjn7OD60GBa9VTfhetSOE5A33Rrn5fog05TTsAblGiM3m9yb24drHjEj4HLA0FzYwHEpoPH2DAxRl\/HcA1RuOiYRnNIrcG7werbjY1M3Sa327qYs+3pKFYs\/a35vcUkW6dvfmHWdKRgkl\/lQ8+agNAxx7ytNkTHTtIqy7B8vZAL8KUlPxSj0gt6f0aahHlR4x8+DpVQ03HO6DciE1DtOwpSAVp71Kx1IN67DvbZE5puszzpjMOBMXrHN6EAiyiDkBLRIljHommON+R\/R7kjaffp+gcXAJOOcCJgwyYulXqPEcVjm1lVMWAs1unY+V\/F+uNEJlU+n7ycALtMx8JoapYqpZ\/YERl98enXpnS4JSwG+uXe5eti6wMKtUHR0CpD0ZTaMF8UeGRH7e42Bzv0p2Tu8+lmtnPsKgFOqy4qM8flcxd6FbT51bQmVGBKOz9hsmN+xzNeSS+G06P+gRajneelM9Ml6rshA5Ze9XZNevJ5URGA3+\/4zmL4ZChYcdSj\/dpBrk7KKsyykmGEDSTp0wnUcOoEbwOwdwy0yJSEcPdp5r4I630fJq1ThajSOsveqsNFTGmChRopw616UtUsJ34ZHIEkewDajBG9ciLWIlp9JmiNQA5sdS6h9RnDTz4gD0aZFiDLoQvN9kPOuOrWZL1brHSxQcSnrfMBFNQDS\/T2UGyKc\/3NhjlcLneltmMwChouJwrB1wWnIC01Oz5ybtO8pgf3mNoiFgyjsWkdAUm\/Ilybd1rbLiMUzw1mCAstjt4EOmL7ov3wAjxxXQps5EmW554KBvP1pDfN2rrVJj8KZ39yz2IbgzFEgyGCjwvymAdcelaUJTipIuCs9RDJdcgmqgxPTZvY0sCT6yaegqEtX8mPz0dFB1wQRMIMB3iywLf+BD8w2hn9fbF88bQRFOTjbN9RJAZwgsHlzOUW0OITmS8gMTFjKFJXyDwGQs4V5LS7fkoeavVxpcEnLxnIotXgNPlS6kU3L2b+eqbGq3yEqaqKVaaCBZKDHd4RSvx6acZ5pMN5tixoPl4VRZTUbncjR7CqssSBkstKemgBJcL5ptv5lHRt8KC8r\/D8drxpQU6SzlMe8Tdv4CsPsMIr9ShohN+dGdO\/Q+YZ4MlJdXIWpPVis9KcBa3BMSAQLL+wlyCrC1DxOauyiJX0pZwmBAP3uFWYpTYr755AsZF7IZSWbLH99OcdO6P4QCsINoDJupHWX0kT9\/ILwvpJZdiJQ78usj3ggE6ufPm5r97uptNSwYWvSBqmpmh7Os4JXPxuC\/oYA9qP+88oU+8sIO935wIdjeKeCSU612zzY7tJRMPJqwyaKqX3F2Ml4mDMtJUpcDHDxd5wHlvcRljGERWhx34qQJ0JL1LapC2Yuq4xWUrbCUWIVjCtmYEfa\/GCOhoSh\/4je8dI1vcbamF7eNP7KRXq8\/j7\/0nPmbGsfJ87rF4KGJE3MFdoClkAlUUrRLaHhiG4eZ9J4RLozN7GBOCkVWWHN5ZAcZUx66oyu0r3mEpWpEYuxlZEtQ0a+RcselQYXz6IuCnJGCHSF5B1YQT8dtCh9Y2xHMplEk9aMjzAZ5TsQ0q0NkXMybToCx5ubpzAZVkBaOnBDwCW5JzH3qkO4m1Y8AzssNxnQddR29gzWPYQyg0Dcxm1OWwVAXNJ6\/SX+S4aDPDV8ymCuPPXQzFDKaJwJOJBrmrARsHZLfI8bbIQ48Fh4G63fa81NkkjBQxfp9npgdy\/bdQCu13ZEFuauYxibrh62hDGVsCl\/5SGVGkTy9NgczZgb\/uar58fVvbN7SIf7HV8afG1gmewssOzVfLq0EfY3Ny8+KiXGGbDHWzNN+mc76\/nymmxBGf58LS4248blw+sucBQGQVLLDUzJUq6oCJofVMo41GsNYXtH6fOPynAzsThq0D8e+jjNCAqLVtm8ZFeahT2ZPmol+LspHBXCkp\/yVPnNsRXEIy1hHfAlZS0eNlJe3RBx3FXhymlEy7K44Tcf5Ni76LhiEOGvYVTVMa27PUfsI40MkT70x7ieJ6FYRIKzUIbAeMHnpEkcHFPy4DbfR3wCD0UChKwSlx6Kady5x470xmBx8VRGz7irKrOxiLKUIWgrzkoggeZwA+lAGQDrqHT4AOKTC4DlKf9XMt2yEfQN1DUxCliAnWe1v3AxbxHAnyrrdBz6rSSe\/EJcFEJPHQDm+UYHvApVKxi\/gRer4sQcA9Qcm4hgZstp4uGyIRjL3SbYY5uAltDI2U+EomQE+SZc99KHDAr0k8k8hb9Gg70cpj29qmGLTPb5l\/3DHw3hH2ywNNERWgs\/V2+UZND4pdNNwRg\/WA+n9o67rtYl6LGQao0ud4GmQNsHYt2eZIgivRYvM3TBPzIaE0iufnYlLjU5EqGxmZxYs40fwTKrnZoQgbAPIbIFFZg6BoCWJhCmgJD78iD4XdzxPvjyshu5A2Z2bNVwSD1OLUxDVRqMgDlcZKJfm2T44YKUT52rhectH4b2OTCH8c1O1WuFpSgRsi9xHBFQHaShA1XiZk+5tiBMMFCLFcC4MqRhIryL1Xt9kVjVw+bLo7UNTs4gMlwM8op3FwFU9JdV1TUw4911Ic+da4z2g0M4eomEnD16ypzV9YvE7PbfX4mG6DIOC7sus4qkeLeUGh+og8npF10LZ6uMQ7NO1jiICa74N4qYd3biZ2PKKCUPsRwiQ8GC4+aFT2\/CElHV9Tus86MeNo1mbxN0MelU9Tv3Re3vPhxieigjbNNg7c8NH1lbKWgphzZEQvqW\/1D\/3eHKWu+1spZcYRk1Cz9Xq47QMTDt1ObhcMRa5MC4OOHU9i+rgy4fH6BSRbTrht3nvfqMzfW\/xgs33D0hwh1eVnBf0PGbhUThT1lBj1exyTJfY0HWfjSfQMcp7I77rxN3+YWgUHV7XikoArasQLBJv4w7LEHyPYY\/+Vj6MwrFWHNchEMNzwTrvd5gF2snhY5eOtRIPg+818Q42DU6OcV4f8vlnYUQXHJ8SkRn+4youn3U7Flx6hzGqd2Kq6kiCNHucaRMmTmTslKYPmix\/DLodndpVGjrAX1amNgwhKlXOsAMB0\/QNROKmcB4zyic9xrBg56IIaTIyKlzKqtQmPzvNxhGKlRMnOEmeJz484gugsUkGQRSGZsTn752c5fp\/IEqJ8uO06Q2Vk9ObzNlHD2qPgNr3K3prb\/xFlwsiNhd3rnU5zIz258tFai7AkGw02iNoM0TXj+mXQMzdOfh3mJ0aCjK6QIj06WOb49ENoiSpchtn\/rXre0PqCm0oC0LPzaEBWDuGyE4WXyH4B7RRFmEYW5slZ9NTVAoOblrF12bwGWUWZDXYeyloF6n2uG\/o9NeOXOAgOMUn6Qv7n9BuhyeC2CiXSHy9y1DZpR8fSv4tPvT6pSWBaQzn5OybvIa4qPoDDAr\/aevKfSF2fAXnhgGWBUOOTRt+hLhFaJNdtqvRBdx51pBwyIqerZQgU5FRr8SgKQNR2Y2UhyDv23ipzi5YxCcOTZ2jTSqzkEdi3KYA\/wG2cHQGq45NoCTDSnVcPFIudxM\/3a5ry93rXYJZAqX2xeRag6MeTog5DxqXTWxNXleuzrGrp18MJKeuCGoRELstSBk\/OXSRnOOFYAISrRtIKiI1BDl2DG1FmmhToIftE+V7CVluP2754NMSG9uzEeQs3I3J20AiKP212JKOjSwfMFHbTzB6c\/OS\/Dm0j1XZljzAYlUs\/kR1qNINEaMAzMk2pimuLm1hyN5pCk7gZCbYyWGF19\/AwcjkwRD7ghvW+nZXFjdan8PU2wH+591yQMbZ4MbTPbDRHzTL7S+MBYJ2\/sXwg2MY2ZLdztxWVvTvwKnb4PuBIochmxGSp1IXlXQtqTgOX5IOA87fk9yU8i9gc\/SBU9pLrPV3l7cVmIltaUP1TvVwUXppaij\/K5aaC2mJHbFTV4B7kJBIBm8TkDKSz4XSAvvMjAepqD1w\/bbYOlro\/h5d5JOSsR9PyLluINE\/74JuqI68WT6pjkeMox1U3aIghcOOrBvzNoBWC2zU3s0wAhOhXJ5utKtCv\/KPcWNPLlyQqVLFYwGgRuUQqNX0zUfdr0E2gdcPE6qpwGANOs9GCCLDTiiLS7bWx0EfgcReMav5+JEGXSdNByKxrvNDELfM2q+bwY61CR38rzDlmu+d7kCAJE0MfDfOLlvE8jPIcfNslyerg2Niox3zzOOsva9xFQ+7GfKZNfnjZtuNFyHUvIFbrlEpcW2H3B5GCMp18jQh8pWrdZczJcc4Aac0gIh\/f+5s4pgV0LPnYCY8HlcVR4B4j4rf4MStSEHzAfZpX\/kYYtsvurzT9EVgYdMvT8FS4jH1W2j\/U2PegzKYNnP3wpYj9CFYKs2jYvLJ6jvD1XhhfR3HRnE4jc6VMq+DDRHlKhG+mti4SyS7RbgLoH\/gHbyMTarFmt2bNHYKgQjqXC0LQQBv31rntuVVHOOazc1DgG+ROX4T5TvwQs6eGOsWbdrcKWpAUmYroutV5glxQd3vGWZ4LdHNLGKqFDSFYJ1I0CTO38x\/0iw1\/MjeLEzEax+jzi2\/wKhjbPMsNk8t68JhGz+VuwI+Z5Ej3HZjM1rMIfExPRP63c49wg47vGSDiML3Kmr\/StRE1KB\/dkvjdDFkp81ryiM0pXrciOaFy7FbL0Dp3fZxLadEpfIvFfiC+mJ2Ig0nQBpqbcfxtk+uFym\/A3yclkZJ8EsWa66dmsk7IUIuXnp3apKNGJQGgbKfLFoWVWK9YsgIPRVOO75R7xDUz9q+\/wdhL6Bvp4iVjP\/YAR07vo9gAmjCQqesZTMhTVAMuXwlERPWl4wtpF0b5ylA4weK63l5VHHeTekepPlmM2ZPgEhPena+eVgrgDpDeBxLVpfjhJdh2pAkFl\/Itj9E+vplhUX79GInBhWr\/Rf6Tjy0aYfZr0bWyYSBA4lA\/R3m1Twy1xWEASJIZt7RakdMzwqSqsG9lO3ibhG4+RjlC4e4GdCGiyDQQToec08qlMrsb6jxurIYsIGEk0i7kTLCjGpt\/7opsmGBM18NONK6EMJiKHTtJSfE6GUrWpQuY5SLFCm6gA8oYUuWrxKHfQRd\/xxiqUOBihtPkSKSDaltV17NwQz36J\/hq7FSp7FqFWILEjYV11Cz4Q8VPxjhoJHSi13GdXpUqGm0GBbQeg63FDVhJQnw1kGtMib2Yf9xU\/2NEYFFK7LIAJAM2C\/v7UelbF21DXicOd67I3RYOxT1R0rQngFVKN0WCK5NYlT7XyG7Vg7YSWOnN7\/AUvIifx6LyicWi1MO\/4j\/tgTPePrYWavU05+b\/X0YGJw0tiFpwX9M80SUeMxuOtQytXsEqklHKltggwksPL2krZgWHjICBOqob2ykobwQ0UULykY9YgOW56Wme\/aLiUQFq0Q7CcJZ89xJ\/42FYJa5lXYH0P\/TM4DppbEtyPFNh\/67NoELB1LkZzEi9PSKyDlIw46NiRT+b8O5ewhbmvpaPcyjC4QGwhHZzbE41F12Gy\/a+cthlvd2qqfwaADTIaDQaJdI025YNkamWe4oPvNi3l6\/btVtWfpldldFiHyFKr1pGyZMk9EyWmCwq3P2mU8qw0zx4eaidYcuaF11F2nyih\/1jIDMAv6DecOtXXxaC9t22nVGRSN2I8zQDT9Yv+g6EKkg5IoICNkMCVyz92eHyfhPo7u23FiB\/HYWhItSJu930LbuZ16E7PJVHYerZwOmqZ\/vHjb4AV0+CE1EBQsVH\/i2r5kHBpovfS7O+8V08ldfPT9A3jWuRmId2jZeFrX0Y1jW9PPFq3kN\/8Ayx7DJya0qzksVuotjIrX0kEdictLzsbhV5\/0DRM7eZLpfc2JKjGndPrkLjiwchhqshbFfpzbxelwMx6zZvb7VmHdVgFsZB2ze7oFfvO81oB5QZJiUVbpxPx2JNOIx\/pUhvvI87IOIge9wOl382BYu3R4q7BkQ7nVP831IaIBxMgFCR7ue0QA5EdpeatlCYAih6CSKLm\/EIRwc3WEUYMdgE7QnPHHL087HqX\/nntbgbSfLUOAnAXQkrDsSI\/TSAxhBaBv4lWfhqaBNKqEQBg5aP\/h0Ai59KLBeMmkDbSqMKamByL5gQBIpRS9y4DrX\/1ERo9Ya59pxvDSpoLKXesALpxgN9RW16xMT7IlPWcBlscjLpFdFLypa5KLH+JTwfsacKE+sa45b49P3tnkUng6KPAvvPrEfY5j4Ds9+GkLoSbIbH5pITuii2U++Fgyh5URgBWDAKBXhsyZpFCAu8Ej+EFhSgesLmUb51pN1UQjHpHOpNKENl9i0RNhG6FXM1qXkmMu2OfRbi2cGhS3Uag2V3K3TnWZOyuwPzDfHVNY2hiKBItohKS2Toqg3LdwIX4ALpN6jwmMY1vJ5pN8xpvy8BhSbpE+drY\/Um26d\/568MLTQYvxke7bs6JitpSjGt4aTSaLzEFOAlJHpgrPvyGdkbKOopCOalf5VBHqUYEqNlCcQJZGcKuibaA+CKhOcASVH\/dVK\/LKcHrVhSKTaRPzOYsOR8cAZDnbAUwFggdNoyi5AiVdH7pYEQi563d4YRRkaDPChr2MwLzQE5Z2eygLLEUTjZauDGSZY2STnngf\/IFlcIvrZPeVh\/jylOHbUswONx8QlhfQYnnpy\/R85Na3DWMvwXLNBAqERWkZZKomQMIbQIRE0qyaS8pD\/S1iK2i0+KCh9nzrezGe2syhY9R0fJ\/XdWKevEaiI7kaqf1UefkR+nEV5Ton0W3N+LiNBqHq9gt0TY4ck8lB4MOrVIWh06NYI4dqR2XxG3d8UkPSyGsXZLY2DwVVGbGGG3rwPTBOXnxm94DBLqQATM9q5DPAAAx2DozZw5dByVWvjGoJA8EL9VQXQu1lEGLqJYNQyIVCkF6QW+5MjxYTioE4qtS8rNVnHqY4P21Cf03AxWuudr20+kG92517E9SQKKnas+QXUuGUrnpUjVl4By\/KUFnJ2+xdKCPpA+KrtUxlUnhmAvK7qpU\/U5QYVZWIgUVItSRUkOwG5PSUEUhbpCYjr6yl6lY88iNEysyPHFRS9YSqySI0eVc4rm8ImRTMH+ksOCPGH2De5Qn59KEuuVAecGPg2\/Mcddhn3Py+S8ulYnzyXMfE3XFNwHBvEiriFlv0XIjjwyA0r9hXwjK+aNKve2FnBMWar\/l13ISuiDDW9Wbg2B0b\/vKVaotaIqupOH3j6LXyhskiKT3XLI7kub+w00Rn3C\/2vUOopzgJn\/xBSioIUg8DQ8T8MFORO644OuC8Zg2RMpkd0tJgqM3LWCw3sxuSh6Vb4bnbfBDuAymXSjn9qOspEuBCeA1Hnqk6Z7EQbzo0cy649zYnv2ti9ahEUhoAM6L1YzTESZlB15lVjy0qDCdjPm+\/hz\/W0kOxYPfdhaIMKTSj9xaVgzMeNpmM0S5rGQwr3gvyFZt1867yMXPHyrpdt1UNsFQKFZyfbkG32GuCiNPP1\/QS9MzblcB5bksx08NY02uG5jalIPOsl3bAejoidRCqbCltzBCzag4e7AV8mQbO9hTv9z3eezvEGVMUsgiRjtDYdjvfVGBECkbf0ru9ReTmeGO+XvPbgeh2Ytdam\/apmAzbSJi1xS8AmGJUoNBA\/uhYrOfNjLMBec+NJqM9y9hzTfVeV7g8deX08XKP6Wz1myxKm8StLXGSkGfZS4O8ue1F0t+84XKj+3ZDouQUimMXjbIfKPaQhrIbUMK0vNtEpl+VtmSV4maqKwSVJ7EKWx8mI97X35iYPD1tvVSsC+LuPG1sPdvVCWQAiSx5sPOhx+nY9D0WgWtXvsyxMmXXwsz5yDIIG9aKaobKMQUTL8bZhrsfxI8oD2agVb2nqUAjSKOh9zA\/9wytMaN25ANVHe3gBEJur2EU0X3hOY5ITCD6HlgNXujbF0w1pIHw20BLpqBwQEEkLcHAg4VHX4BErQ1dBihCwT\/2cz8UPavHA1vbsDMAzxL7HBUf8cyofB6qUwvEP4\/O8z3KDrPpiGvBX3vGX2DmaYPwalg\/6jfs0hNG48mzt8+KrQoPXg1DYsRhwUShkGdH18juAZnuezGG9WMvdB3335J6xvq5xPaNlLrnyvPE00KysWdfWJefGmFNb2PjVNQ4jPs4ADPpqCp5NS55LkgFbcWZeLdV54Km98\/nNOiq72XXX0hVCnoHf7x8MuDyH5Z99myGbQTEr28pbGOfPXI3Jc\/u6q48VW7Gf2nEAWjg3fhYvhsAxhuosw\/1EaG6p\/ZbJTxd6CN4JLT5seUTCi3M9JEJm0rqpM4PDjdjWIAgDQqDPY76K1vB2PLk1lvfOfzwYGVj3zOxWP0mFhNK94nD7N3RdWWhuPITS4+5DaaxXzX1CQvIHK3CFA7j\/mjof5K5e\/1VV5szNtlTZHK4KZbzNnrMdm\/VWJGF0BrOVYUt0Sbox8qJLr6\/GwQJMk6Qenqonnn0f\/MPHWKYj1T5qszcd6n99XKbhzvW6nsb5wfGdaVhsp0WI+f7oMOfujihusQHk42NzfeiHuuZye5bILBKJs43YVrDT4cJSW6dKJkyg2t0rrscPlPNCdX2lPQIvq7EnSH3ACRL20hMeltlKW6O5c7ChXj+Pz\/Eb+vmo0e3DNCUI9apyyp2e3PgufsUcIkO13EGoqcXkimky1tZgX\/9bmhoxlxxUD7MhwUa3BuDottTACLzOvV\/prJ82LaEy\/UQo153zPT+JiyiUiAubV5ORlTSfUKA0OMLpIIUp7cc4fTDsEA80uypKBtae4x0LEbe+n7ERSTiUt2rWa5b0en217CsosrDNp0yJJlyM50Y6SPOGqvMInpBnZCX4ar7m7Zn4pvvNMmY4zwvG2KltKcdpuRZoVaWabSaRpQFcZCpDOa0fDb76nxwiIzH9mK2mlJ2VXZ35a2mmQVjdIfHxQAD20lwC9v9NtkfHuvd5D1Zomk4+i3C4WCanyKbxgGWu9ey2RAtqmKIAodDCCQCPfDkDQXsrdCM\/GdiC8RaY\/PlhKudY7Hsg9Dkvri1jMKoPWaTG0EQTLgPENU4tW5db8rawHN6ag0I37KiQuV7bX4Us+KYD\/G0wjqbsc0MNgE5TopN83GfdbMHM47m8xslieKIeWwh2yhJ0oDDe+ycS5D3yGepy2vgQj7gcZPpNZzHI8dW1I9\/d2z12KhcP1EFKOVbJ3C+agb7xgmovXLvnNR5ve1uu\/2B3sHt1h20WuMptiUGSKyUWmXjED5ECXcUOtBUk52E67\/Fcp\/1WVIMkNx8FYoRMsHmOR67K+ptMDhks2raXq6u0EVRyUNZ31hfwA9d2f5gfWL7BCev\/xhVW7Vc7Row0PSNajmpiuzsVqnaCAIZY9M70CrsgZ3vtmFqVaU89UJD7q4n6Pu9YGh4K9SDiG1gY0EG4QWHI6lp9FpFfXNvA8Db2MG7aAkeQ1nZaljfPy4SPh6KU\/ocbwtWf0JnzPYS+CU1qKrnG1G4Qo+UzoAWIIORIsCHCthQaxukg3CAu5XzfhZtc3nRZS9IUtvQORxhZ+HSpozkqS5VLdbWAOlsWGIGpkEmQOT4VSvcv8Scw3nEnf5f57Mckwfcv\/48CL9BxG2tl9S5im9NV0esQBS4x4GlPGhzmBLibFPumvGL0AoFt844Lbo7iayKSyKSGH4rNVBladJTlmIwV5N5wMjROgBK\/85+vHqE3VUGS6njvdkSBSy987XyMa161au6wYLeBOKQeGotUtQS0Ln52T9ESjQDQU89uoKDcxpbDZx3cEZSkiDymkaUkQAKRrkFrvO7l21XPFy1VRYVBGst0rDU\/XllzzY\/0y6OEd7cx9YYlrYJfcA\/HalWy2e+\/NJQZ0jg2hXvDZSj"}
 01296{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1851,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385146276790,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146472685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":11520,"midstream":1,"thread_ts_usec":1654385146472685,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49412,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/13aeb81a47e7632ccdf1aefee19ea65e.jpg?format=webp","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
@@ -903,9 +903,9 @@
 04438{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1860,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146500483,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2946,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2946,"pkt_l4_len":2912,"thread_ts_usec":1654385146500483,"pkt":"nLbQ0+MztKXvZygQCABFAAt0gVJAADYGXhcOiIhswKgCfgBQwORvtMvRImpQ7oAQAHplgQAAAQEICpoJIiweulb6+ZKcD+KnwfgPmxIli1SDP0WB+TC+gZ2zUZ1MJYnOEnfgrEfocekJHaOM+Eztu22jDjbrklrlhsLXwktGW5jFzoZr3Ytu7HRoxyemV6NLVS1v4GRaLHUchrowoMimCyOxZHfNMnA0GNdZ10WtBsw4gEq8H4X8y8f3\/RYH5Mn6eEzqjI8sPaA+ORFtFcdQ+TmjpdZPUsTpyl+nLhU\/9GpHgFqC51W1e7CLdEBDq\/FQ2WwcSw4ZRTbi\/WGpayOUjE4QZtyN0YXULC8rCWHS4N1MsqhVl2K8H4X8y8f3wgnA\/Jk\/Twlux8TrGuEW5nLXTDPqGMQAlYiMJpFjD2haZrB7TzXXPMjVOcqB6d6igpIOmaJ7Y0Mrz2\/yEfvD5pWGi27w9bKORzLvk9ue8s4aiSRSmdLv8x2K8H4X8y8R8w82CiFh+T6YwGSptZ8TjC0FXdnJzdcE9uEyZwnCOep1wtTzpxjxgEqVLJABXHJLpS3bD6ip0PC8K7M\/yCNVfrglIVQ4OuF2gykfOcPmMbjrz6bh1RnUy5\/MdivB+F\/MvEfOMae6F\/kz9fTSf9smb1on3k+Iw7BNmS0w7MRktM8Ff0Xj9teNF8yzhLN9Jw6SBbhxxSs+M6O4bTT17SVdMQjaF+od5bknXbynCwEsZiOD2GyrhdKmNjvU4f8AG3\/MdivB+KdZllzOEugJUa2YWL\/J9aj6bQ3CMt2YfYZsFk7yyBnI7ZuzfktnJM8b72B45z44I7RsxuiJlZCW6LUdmRB1qCOgwTgI1k8kxEblTVuyjGQPDs14YOevoKw+ODo3i1ks4XE2bddW9CQgJt\/y3Yrwfjg64GjfvwiDex7cLF\/kwZyfP0quvVEcRYOMIYp5ETODXaWekEYIkDknM53nDjYsO5h8fopHtsi3VbhwS0xs7wlfY7RrfW4ggHRM4TVKy\/xlLF9ZudYs668Jlec31c3Uc4T6djHl6evUbLRtfynYrLT6x1eC2dIZO6R+eFivyZGSOkc21mpHBAjzTIn\/AMSAFqMsjPuzkhyEJLBGBy8WixGRGPj9CZ0fSPWNduT2zXAXBq4nWNVvTCfY2zMzKo93KeUCRF6QE5wqyJvtTuTQGRGx\/JdivB+EzowvA\/kwsD5ctdc9OWzlwbY\/hrOD0Tni7E1kzleJbw9c6TkztjQ2kFPTJ85GkJslvP6P0PmszQmBvhmsCpmV\/h5i\/wAKrtF9NiRwGbcho55wUuZm1QZNpkDtIp4QJBZux9ivGin\/AJ3YrwfhExDC8D+TCwO8xwl0xEbplWQ+OiXecqXG0mM\/yC0Q1JW27xCupVnhwyNdqtGTB6hU1mIgYa3XkU6RaOBRM7p+gp7ZXnVVY96yCCx1XTFmQz6loZ6wCyJiCZwo+r6JMZNRGntVDWuYW4s1nNM4YzptecOUlfSFv5XYrwfiqxYSXgfnnDK29jq6xf15wB2wMYa4OCHbMRrmnJUYKd0pn3uDcKWa8mN5mWssYXS+kp75S0NFRuwhKCjGq0wy2w+2tc6xMcQnczdpgsyJ1yC7ORsHTkidr6jFgpD+vB\/kdivG2SwV7JLwHzQgnsSsQF+zT0zOQjjEMVjw1haSkSCIifKvKC3mj5Y0dhyZTzYXaZ7OnSY+nXWc6hLZVtLsn02hItxp6DxJvpBmdcW05ScHryidMCdwrPYVhHQPlWZqvh\/wL5OxXhXaTPVs5T4eTzWpdZai96\/dJXUiQ+eG1NuMULl2+GOXFVBmq1wm1t\/e7SKgbUIjtjB3B5nYWMiVDAyzGQARrrMR25zOkcj8wWkqvOVKuOPHP92npNYb2SGVWylvqJyWCWEusWTUQWLpMWbUEJpj1Nflwp2yKgEK58uzhHT6ziEWLnUyjSKtpinmyDXPhX5PSLmemNZ4TvLZtjYws1JcAW4uOUNJUomsWOsxoMaFkbJg5iIk8I9Qh4CFtmqo7zGeZ07Yc9uR8tMiJ+iY7hvIdWRnXLIsDkMHOvOm4d1lQ6yBacLn\/orawufLsV4Pwr5HPbhlxHpzGGCPYCVM5Dw0dMy7hb4EQKWREd\/lAFhbTj\/UlXsoXgqgc4iw4YZo6D7\/AH9QZYAKLGGAZan3j45a8jnvynzGRGn1V3dPItxhFUZnpBLJE0yLhzcOf\/QMCqI2VfjnHYvwfhXkvC\/moyXHqNcWyJH25Z4YBlXpwghd3It+SbIacSD9e5DuGB1I\/DDh1lrQkmTqSUkyJMYzTc0y6jfonJ7ly\/Y\/VPhfyyMGJmatA2IvCpBymdETpKz96fyI\/FjcV4OOyvkfhfyEdy5jIORz1i8EoITTMYZ++bEgYTuztmvYygA7dR4nKdPs\/wDw0zq\/aH2p3aQOLIQwz3nymfojI7R9AnHTPwgdx6HpPmI1WJQYXYkr1QJ6s93qGc3elCtP\/NjcX4Key\/kfiJ2zWsxhaGBeJ8o1WRRM5K9W+m7jArmsyWkPuY37mAexVQ5kXU0Ol\/C2LyFCUzUZEJPolcISMZ2\/RM6RPx5TkZHn6TnvSASnpryIVGEDnZWtFSC8xDZDqFgVsUvbDHCziMaQj9Nxfg\/CvJ+P1lewWpC+M\/6sCZkNcauJgI3w0ZNgAKljG0gDaLZnelnTaUaZvIcuELkDXrEtlHTJncf0T3k\/lzjyHnlrymdCnzSWEJ3AMzYkcVaIbDRK45dYBywMMGsuRy5a9HTpTo1ha148OjF+D8K8lm2cIcjAcwV+pXyCd2XLPUJYmwhjbBnuKA05Wo0dldu4Sx0blik+naLpoHxzmdIpJ61iOCVdZ4HTyeBVMZwOsIWKAKWPj6DwI1OnG2rOwsuJEcMIlkyzWETOFTgxYxYBbtHcsVZ++f8AFjw7F+D8K8zyPyCuqyFFt9OvAg2TduQkFnrFRwADHEUV5jbjLYDJbmFI8hZ1YLvFVu5HHJ2iPjmU6zSWYwsrW2WWBiD\/AOcmnOWY0r\/r6D8VQ3sSDZj08TLkwL+ipeK+PjCfGziF0rbMrfyi\/h\/puL8Hge2dYnJnTBEjKtW6C9YmNcmRAGx1Y4ZIQ+Ggc9HrT7Vi5kwvhzpZYCcnTQp751N8rOVzxV\/WfHjkU4sd7K49tceW9lgtFriIXfLRX0lnDo7qn2MdshEdzZ1D64xjC2q4wwt3IZ2n4p\/pneRHtsyhUh728KWWTws4KukVDqGu\/dGxWWHQfL08wKvuCRAldq02w2xcfI8OLS1BZJ8ojWW+zHDGOLc2PGT2jKi9Wp7Ruxc7n2D1jdnEJ1bz1KM38qJQK\/Ue0AyXaxr2V5ayN9p02bX65ILqcI\/UD35cOTKU5BwZ69QfZt6mdSJwrBzgsMyozo9GisNg6WrPunvNSdLUc4nbDmdosbUeZzxhFukYyqW3BONN2JL3sLVu7Lk\/d+jTNBjE7SlOgw2S0ie8BM5vFS5sEXKPHLgvv4XaSVZ27AGTJFFiyFUbGq3Z04CqqN4luHFjERq\/HDsxXmr\/ACFj1JSXVziFY6tzFTtbHMtcIZx\/bI8zGmFODGuTi+2AzbkPjIPaxs+6Hxlufd9Jea8iA6smBV3iBGN+6bVnrEU8gnJzTP8AHi1pcQr9cDHTKc6Wx75u7mP2gPtBGhktMo27Z3nlqPuBMRnDq0mdpm4xP71yuq+PEKK44Vg+IjWYXkhGPyz2xLNkkWRGvIO5QO6NkjkRnfNxRkmUYepQE9uU+I8TGuI7ZGDIjBM1yy37X0jn+P8AaG5Zfpa4XT3ZOT853LwyA57ZBhnnNCy3\/KR+WrlL89j4Zp\/y4v8AGvIwsPLXkfOD4LwHwH48ixnn+5+I+fIsHxi8H4fu15sfn\/Q5+585HngHyblr+Wv8c5\/acmI3bRzwx\/YYmdP\/xAAqEQACAgEE"}
 02485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1882,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146710077,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146710077,"pkt":"nLbQ0+MztKXvZygQCABFAAXUgVlAADYGY7AOiIhswKgCfgBQwORvtNcRImpQ7oAQAHoCWgAAAQEICpoJIwAeulfZAgICAQUBAQAAAAAAAQIREAMSITEgQRMiBDJRIzBCYXFigf\/aAAgBAwEBPwHwT4w8bm3USMYxX27PjlLlkYJD1Ir2KafTHpqx2v26HH3EU7EPHsmL+zZdjdCUtT\/h\/wCYGlBdk9ZRG5T\/AGdDWmlwPa+iMpR7N6l0ONfqTpkZl4smLFZlwJ4RYo0N2fI62kNaCW0nq+oEYe2LTjRLbfBpxi0ShGOLeEqLojK8TEIcrzqO3Ylm6Q5WXh4it\/Bzp8mhX\/0nJRnwSL\/jx6LJiwvBZk8vKtPgk3XJPreicVGA2JWdFi5KxEmIXeGX5NCid8FFcDQp0uUKM5Kie6L+w\/5EuCUaFGzZQuTo2ut6JOxZZXik3yNC4VjUeyjckLklSIytWa7W2vYkmuySo9YuyL5H2afdeiqIrF5Xgl\/TY2N4TEvtRONS2lx0o17Kjsv2OLi7JKL5RJJxtF5SpFlXEu+xf2dSdQoVpk408I0dNzdnxJ6m01dNQR+5OcktjPjTIxsktuIw9smx\/wAkJR28k6vgXkot9ZVOZqcITTJaf8FGjqqCpm9p77F95W2JqH1kS1N8ro+0SLUGSlZGKXI3Q3YkuhRvhdmpGmIWJK8qbXWfx+Z0a8eLGqE+CUZVbO4kokG0+DfIUmjfLKkX6KwnTs1J7neL8oxbIxSVGjppcjjaJx2umM+W4bTTltZrxqmiiiisR021Z1i\/DabfGOjYoqIuRKsfkwtWIsuiWpujtEhtIaKKN\/1rzssrPRZKddn4rc3eWrRqR2yaFiKoRLUjdCeGhupULKyi8PvD1odHy30PcnyaGvt\/4KSasnrbejT1dySNWMlLk6xFNsrkdCdEluO0NclYRtLihixY2Wh8TGjsiq4NLX+N89EoqfJopxZrxuGLNL9icK5HhD46yxriy8PwfeNRdPwmaWq48Gm7ZPofYjS\/ZH5MtsaFTjQtMdLosReKoQ1fg8Ujbu4I\/iR9s\/J0VCKccT7I9o3VTJMl2McmhycuxG\/Ho3F4trsv+CzvwWdOfHJrx3QeJ94+T60zQ1r+jNT9i\/Kv5wmJknYv9DZ6OUX4ItpkJzlKia2yaJYYnTsb9mnpSkT09vh0PoeIsbTRvOH7JZXglFnEI2Tm27Y3Ymd8iVmlpQ9iiakOGihtCd8Ej14XheC8FI1NVylRZSNpVY0Hx\/zE198r9jVRNkY8DWGsIZWI5eGuSvBmh7QpfU1JrsfIhGq7Q+RSGhrCXhVi\/t6LakamrtG5SEuBCJdeHY8VwesLEJblfihFihJkdJezo1OZFliOmSXAvBlG2O2\/FKvFo\/0RnXSPkmW\/bHqpdF+8oqz0dYjKuzchsZtf7ZoXlFWa0Psj5GNtlCVj4wxcFikNZoaw39PBE+jaxyFO1WNPs1K8ExliOxPCbXI5buiKHed7khl0hdY9nAo2bafB8basTou8cnwzZKO10N4WGy0WaenvQ9GSKaHxhP61iSuNEVUaFbXJRSE+ax2Vj4qSbNLRdHxcck5W2xiy2Xj8OdTocV\/A9GLNT8Z+iUUl1ybvullFexssQo2KVMkLs+NY\/I1NumxK3QxZeIqzQ\/dFn5WrKKVGnxBH5CjdlXK8rovLEx9FkjT1px6I\/k8Wz8rWUo8Dd4jl5\/GX9RFmq0+JLgjq7VtRrS5P8h5cjdZbGUV7OyhH+JrO8IhC1ZsPj+o8RNOPs03T7Jz3G+sN\/dDxaaxGBTLsXAvsS44Gzo0tRPgm7wl6NpRN1F4oSIcxxLhFtyw\/2RJ0OTZFcclIRSJOiLuPJdZkuCH16GhcGirdlY1l9co0lwdGoyixolyQXsTxeGf6EiRBWa6pcEHyW3wM0VwRijUjRNWhixodGoy7wj\/Ej+7Xl\/\/EACoRAAICAQQBBAICAwEBAAAAAAABAhEDEBIhMSIEEzJBUWEgQhQzQwWB"}
 01282{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1882,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146710077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":514,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":514,"flow_dst_tot_l4_payload_len":4320,"midstream":1,"thread_ts_usec":1654385146710077,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/f05074256b39572ad852c1c95eb5f8a7.jpg","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
-01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1985,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":159,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146263001,"flow_src_last_pkt_time":1654385147139518,"flow_dst_last_pkt_time":1654385147568107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":85228,"midstream":1,"thread_ts_usec":1654385147568107,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49370,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83908.6,"max":876517,"stddev":182026.6,"var":33133680640.0,"ent":2.6,"data": [216812,1301,1174,217584,379,838,730,814,206371,3184,729,1431,202135,477,2906,412,436,624,742,876517,236517,1,2089,899,206105,416,0,0,0,0,0,0]},"pktlen": {"min":351,"avg":2761.9,"max":15906,"stddev":3042.0,"var":9253906.0,"ent":4.4,"data": [580,351,1506,4386,1506,5826,1506,1506,1506,1506,1506,2946,1506,4386,2946,2946,8706,1506,1506,1506,1506,1506,1506,1506,1204,592,351,7266,15906,4386,1506,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01759{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2000,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385147163604,"flow_dst_last_pkt_time":1654385147585918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":97896,"midstream":1,"thread_ts_usec":1654385147585918,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":354,"avg":81334.7,"max":886861,"stddev":181110.5,"var":32801005568.0,"ent":2.6,"data": [223740,209594,1687,207155,354,1309,724,462,462,1177,203967,420,1398,676,628,3543,886861,237591,464,978,2452,823,206716,876,409,919,651,0,0,0,0,0]},"pktlen": {"min":351,"avg":3157.8,"max":18786,"stddev":3724.0,"var":13867893.0,"ent":4.3,"data": [580,2946,1506,1506,11586,1506,1506,2946,1506,1506,1506,7266,1506,1506,1506,1506,4386,1506,2946,4253,592,351,1506,8706,18786,1506,2946,1506,1506,5826,1506,1330]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2008,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385146253018,"flow_src_last_pkt_time":1654385147560064,"flow_dst_last_pkt_time":1654385147928387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1554,"flow_dst_tot_l4_payload_len":113644,"midstream":1,"thread_ts_usec":1654385147928387,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49372,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":119296.6,"max":899707,"stddev":203504.9,"var":41414242304.0,"ent":3.0,"data": [205636,2121,1,224803,394,328,1444,193718,403,372,1728,1281,1888,225980,899707,237971,1,2439,199154,468,952,1305,407339,371504,1478,0,0,0,0,0,0,0]},"pktlen": {"min":351,"avg":3665.9,"max":18786,"stddev":4182.9,"var":17496908.0,"ent":4.3,"data": [580,351,1506,4386,2946,4386,1506,1506,1506,1506,5826,1506,1506,1506,2946,4386,5826,3732,592,351,7266,15906,1506,1506,7266,1506,5826,654,580,351,7801,18786]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1985,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":159,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146263001,"flow_src_last_pkt_time":1654385147139518,"flow_dst_last_pkt_time":1654385147568107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":85228,"midstream":1,"thread_ts_usec":1654385147568107,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49370,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83908.6,"max":876517,"stddev":182026.6,"var":33133680640.0,"ent":2.6,"data": [216812,1301,1174,217584,379,838,730,814,206371,3184,729,1431,202135,477,2906,412,436,624,742,876517,236517,1,2089,899,206105,416]},"pktlen": {"min":351,"avg":2761.9,"max":15906,"stddev":3042.0,"var":9253906.0,"ent":4.4,"data": [580,351,1506,4386,1506,5826,1506,1506,1506,1506,1506,2946,1506,4386,2946,2946,8706,1506,1506,1506,1506,1506,1506,1506,1204,592,351,7266,15906,4386,1506,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2000,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385147163604,"flow_dst_last_pkt_time":1654385147585918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":97896,"midstream":1,"thread_ts_usec":1654385147585918,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":354,"avg":81334.7,"max":886861,"stddev":181110.5,"var":32801005568.0,"ent":2.6,"data": [223740,209594,1687,207155,354,1309,724,462,462,1177,203967,420,1398,676,628,3543,886861,237591,464,978,2452,823,206716,876,409,919,651]},"pktlen": {"min":351,"avg":3157.8,"max":18786,"stddev":3724.0,"var":13867893.0,"ent":4.3,"data": [580,2946,1506,1506,11586,1506,1506,2946,1506,1506,1506,7266,1506,1506,1506,1506,4386,1506,2946,4253,592,351,1506,8706,18786,1506,2946,1506,1506,5826,1506,1330]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01741{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2008,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385146253018,"flow_src_last_pkt_time":1654385147560064,"flow_dst_last_pkt_time":1654385147928387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1554,"flow_dst_tot_l4_payload_len":113644,"midstream":1,"thread_ts_usec":1654385147928387,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49372,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":119296.6,"max":899707,"stddev":203504.9,"var":41414242304.0,"ent":3.0,"data": [205636,2121,1,224803,394,328,1444,193718,403,372,1728,1281,1888,225980,899707,237971,1,2439,199154,468,952,1305,407339,371504,1478]},"pktlen": {"min":351,"avg":3665.9,"max":18786,"stddev":4182.9,"var":17496908.0,"ent":4.3,"data": [580,351,1506,4386,2946,4386,1506,1506,1506,1506,5826,1506,1506,1506,2946,4386,5826,3732,592,351,7266,15906,1506,1506,7266,1506,5826,654,580,351,7801,18786]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385156800184,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":423,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":423,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":423,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385156800184,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.217.18.98","src_port":44368,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01094{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_packet_id":1,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":489,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":489,"pkt_l4_len":455,"thread_ts_usec":1654385156800184,"pkt":"tKXvZygQnLbQ0+MzCABFAAHb3B5AAEAG2pzAqAJ+rNkSYq1QAFBdWbpPyM9cBIAYAfaELwAAAQEICmU8LGE7CqI\/R0VUIC90YWcvanMvZ3B0LmpzIEhUVFAvMS4xDQpIb3N0OiB3d3cuZ29vZ2xldGFnc2VydmljZXMuY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6ICovKg0KWC1SZXF1ZXN0ZWQtV2l0aDogY29tLnNjZW5ld2F5Lmthbmthbg0KUmVmZXJlcjogaHR0cDovL21hbmdhd2ViLjFreHVuLm1vYmkvDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNCg0K"}
 01222{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385156800184,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":423,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":423,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":423,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385156800184,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.217.18.98","src_port":44368,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.GoogleServices","proto_id":"7.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","http": {"url":"www.googletagservices.com\/tag\/js\/gpt.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
@@ -927,7 +927,7 @@
 02024{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2060,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":168,"flow_packet_id":1,"flow_src_last_pkt_time":1654385157001678,"flow_dst_last_pkt_time":1654385157001678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1185,"pkt_l4_len":1151,"thread_ts_usec":1654385157001678,"pkt":"tKXvZygQnLbQ0+MzCABFAASTjHtAAEAGODHAqAJ+oXUNHcQAAFCrgt7ji0XD5YAYAfZ2PgAAAQEICrrGVbOXEVcWR0VUIC9pbWFnZXMvbGlzdF9kZWZhdWx0LnBuZyBIVFRQLzEuMQ0KSG9zdDogbWFuZ2F3ZWIuMWt4dW4ubW9iaQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDExOyBzZGtfZ3Bob25lX3g4NiBCdWlsZC9SU1IxLjIwMTAxMy4wMDE7IHd2KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzQuMCBDaHJvbWUvODMuMC40MTAzLjEwNiBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlL2FwbmcsaW1hZ2UvKiwqLyo7cT0wLjgNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NClJlZmVyZXI6IGh0dHA6Ly9tYW5nYXdlYi4xa3h1bi5tb2JpL2Nzcy9hcHAuY3NzPzE0OTA1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNCkNvb2tpZTogX19xY193SWQ9NDcyOyBwZ3ZfcHZpZD0xNTc5MTk5MjgwOyBhY2Nlc3NfdG9rZW49bnVsbDsgX19nYWRzPUlEPWZjMGYyMmY3OGQ4MmZiNDQtMjJjNDllMTdhOGNkMDBjMTpUPTE2NTQzODUxNDM6UlQ9MTY1NDM4NTE0MzpTPUFMTklfTVlxQy1PUjQwVGFRTFBJdTd2aGtaLS1VMXRtLVE7IF9nYT1HQTEuMi42OTQ1MjQ1MjguMTY1NDM4NTE0MjsgX2dpZD1HQTEuMi4yMDQ5ODYxNjI3LjE2NTQzODUxNDM7IF9nYXQ9MTsgX2dhdF9ndGFnX1VBXzE1NDc1NzkyOV81Nz0xOyBfdHRfZW5hYmxlX2Nvb2tpZT0xOyBfdHRwPWU4NDYzOWI3LTk0MDAtNDA2Yy05N2UxLTAzZjhkYTQ4MTVmODsgaXNfc2F2ZV9jb29raWU9dXNJTXZIa3hQNEpEWGhjOyBfY3JlYXRlX2RhdGU9MjAyMi82LzQ7IG5vbl9uYXRpdmVfZG9tYWluPWh0dHBzOi8vYWtlbWFuZ2Eub3ItZnJuZC5jb207IF92ZXJzaW9uPXYyMDIwMDUwNTsgX2dlbmVyYWxfc3Vic2NyaWJlPTI7IGNsb3Vkb3dsc191dWlkPTM1YmYzNmRmLTBiYWUtZTA5Mi1mMmIxLWI3MzlmNTZjM2VjZDsgY2xvdWRvd2xzX2lzX3N1YnNjcmliZT0xOyBzdWJzY3JpYmVfZ2VuZXJhbF90b2tlbj0zNWJmMzZkZi0wYmFlLWUwOTItZjJiMS1iNzM5ZjU2YzNlY2Q7IGxhc3RfdXJsPW51bGwNCg0K"}
 01213{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2060,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":168,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385157001678,"flow_src_last_pkt_time":1654385157001678,"flow_dst_last_pkt_time":1654385157001678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1119,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1119,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1119,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385157001678,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":50176,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"mangaweb.1kxun.mobi","http": {"url":"mangaweb.1kxun.mobi\/images\/list_default.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}}
 01550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2061,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":164,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156962711,"flow_dst_last_pkt_time":1654385157145999,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":748,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":748,"pkt_l4_len":714,"thread_ts_usec":1654385157145999,"pkt":"nLbQ0+MztKXvZygQCABFAALe44NAADQG7t2hdQ0dwKgCfgBQw9yTFLQsi9xmdIAYAPSXNAAAAQEICpcRV7G6xlWMSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMzY2DQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTE2ZSINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAFFQTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/CDfnXgAAABp0Uk5TAOEQHt3X0s4WI+fFBvPkMNPJq0tAC7VRUC7\/IHCDAAAAsklEQVRYw+3W6wqDMAwF4Fi13nX3y3n\/Bx1dmT\/mYBZSsHK+BziEkiYRIiIiIiLaC3M6Sxx9B1wkBlMBGO6iz3Rwil60XSs441O01T65aESbOcJpIySXvuZctOUHOKV+cm3hZBGSCziVEW2Nf2cboeYSb63N\/rASZhqxmoS5YbVhO1WHvPWGOuS7r1P5jYsZksjkW87rNLbMvBvbSbw0NvrnDnnILInryd98REREREQ\/vAAzzxwTVWsbZwAAAABJRU5ErkJggg=="}
-01792{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1654385140835391,"flow_src_last_pkt_time":1654385156967826,"flow_dst_last_pkt_time":1654385157149701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":434,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":14400,"flow_src_tot_l4_payload_len":6674,"flow_dst_tot_l4_payload_len":81693,"midstream":1,"thread_ts_usec":1654385157149701,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45416,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1118853.2,"max":6045020,"stddev":2029038.4,"var":4116996947968.0,"ent":3.0,"data": [188503,1,1404,179436,1430,692,418,2433,676,270050,61,644,3892849,3428911,186128,186289,192621,208977,367165,352334,5253796,5339015,3643,6045020,5959115,408,493,194856,189377,0,0,0]},"pktlen": {"min":500,"avg":2827.5,"max":14466,"stddev":2993.9,"var":8963654.0,"ent":4.4,"data": [500,2946,2946,8706,2946,7266,1506,1506,14466,1506,2946,2946,7266,7266,4092,817,709,819,1525,821,1415,817,1530,1079,2946,1144,1169,1506,1506,1589,1180,1097]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1654385140835391,"flow_src_last_pkt_time":1654385156967826,"flow_dst_last_pkt_time":1654385157149701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":434,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":14400,"flow_src_tot_l4_payload_len":6674,"flow_dst_tot_l4_payload_len":81693,"midstream":1,"thread_ts_usec":1654385157149701,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45416,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1118853.2,"max":6045020,"stddev":2029038.4,"var":4116996947968.0,"ent":3.0,"data": [188503,1,1404,179436,1430,692,418,2433,676,270050,61,644,3892849,3428911,186128,186289,192621,208977,367165,352334,5253796,5339015,3643,6045020,5959115,408,493,194856,189377]},"pktlen": {"min":500,"avg":2827.5,"max":14466,"stddev":2993.9,"var":8963654.0,"ent":4.4,"data": [500,2946,2946,8706,2946,7266,1506,1506,14466,1506,2946,2946,7266,7266,4092,817,709,819,1525,821,1415,817,1530,1079,2946,1144,1169,1506,1506,1589,1180,1097]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 01703{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2063,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":165,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156971856,"flow_dst_last_pkt_time":1654385157153682,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":832,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":832,"pkt_l4_len":798,"thread_ts_usec":1654385157153682,"pkt":"nLbQ0+MztKXvZygQCABFAAMy+MlAADQG2UOhdQ0dwKgCfgBQw+Q76a9lejKjSIAYAPQgmwAAAQEICpcRV7e6xlWVSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogNDUwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTFjMiINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAG9QTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/L9MC0QAAACR0Uk5TAJSpvW0XB\/bWdRD8t6aZi3E3AvPs3s20r6B8d2dTI0U7LisEPmah4wAAAN5JREFUWMPt1MkOglAMheGi3AsOgDhP4NT3f0YhYiQGMcg9iYvzr7rpt2lSYYwxxhhj7C172I4F0nykCrFLuSiei\/sOWhYa9\/JIKxol69S5PNMqDyYHR8eyr89WKUrWtQXIiCv6kxqduJSPdXl5diinC60VDAevon2\/h5JoS+u8szd85BdjrG3tOtO1Ra+VDn6lva+0ksbT+DNucHQGo0MDo\/0bil7kgqITi6InqaDo6RhGZ4KiVwZGzwRFL68w2rN96f0n+iR9aRM2y5HtRUflfNk0ybERxhhjjLG\/7A7dOIR9fLd0dQAAAABJRU5ErkJggg=="}
 01228{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2064,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":166,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156978849,"flow_dst_last_pkt_time":1654385157162185,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":574,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":574,"pkt_l4_len":540,"thread_ts_usec":1654385157162185,"pkt":"nLbQ0+MztKXvZygQCABFAAIwUYBAADQGgY+hdQ0dwKgCfgBQw\/TiBgbELqLpRYAYAPSjggAAAQEICpcRV8K6xlWcSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMTkzDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLWMxIg0KRXhwaXJlczogRnJpLCAwMiBTZXAgMjAyMiAyMzoyNTo1NyBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9Nzc3NjAwMA0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0KiVBORw0KGgoAAAANSUhEUgAAAFoAAABaBAMAAADKhlwxAAAAD1BMVEUAAAD\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/+PQt5oAAAABHRSTlMA8a0mzjE4JAAAAF1JREFUWMPt0LsNgDAMRVEgC\/DJACAYANgg6O0\/E0qKpLIipYt0T2PryYXtAQAA9OpdzlTdsd45sDivkKYeaSuBYZK0x+aSvhIYRklzbLwUctA+Xd+k\/cr6BwEAwA+l3hHvzEdfEgAAAABJRU5ErkJggg=="}
 01547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2065,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":167,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156997634,"flow_dst_last_pkt_time":1654385157178524,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":746,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":746,"pkt_l4_len":712,"thread_ts_usec":1654385157178524,"pkt":"nLbQ0+MztKXvZygQCABFAALcrA1AADQGJlahdQ0dwKgCfgBQw\/a\/BfvNoaiIL4AYAPQ5GAAAAQEICpcRV9K6xlWuSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMzY0DQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTE2YyINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAFFQTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/CDfnXgAAABp0Uk5TAOEQHt3X0s4WI+fFBvPkMNPJq0tAC7VRUC7\/IHCDAAAAsElEQVRYw+3WWQ7DIAwEUCckUMjWfZn7H7RC\/DTqR4OE1SDNO8DIssC2EBERERHRv13Orei4AsMoGh4TAKdR99ghGjSyXzMid5PyfJeyD1KeD4hOGj0xqe5eJbtHdDRSnmkQWY1+tw5Rp5FtbOq3l1y2+cEGpOzsurHZvEieCZvd91N1Vq9380Jy3nUtv\/FzhtQy+dbzuo4ts4TVbqxkoz+\/75AKrqd08xERERERKXoDf5McEz6WWVMAAAAASUVORK5CYII="}
@@ -942,14 +942,14 @@
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385176795709,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":207,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385176795709,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38316,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":1,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":273,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":273,"pkt_l4_len":239,"thread_ts_usec":1654385176795709,"pkt":"tKXvZygQnLbQ0+MzCABFAAEDkpJAAEAGvoDAqAJ+rGl5UpWsAFD4\/KHAFVJVKoAYAfbp1wAAAQEICvK1uWDJom0fR0VUIC92aWRlb19rYW5rYW4vaW1hZ2VzL3ZpZGVvcy80MDcwMS04ZmE3ZDkxNmM1NWUzMWY5MGZhNTVmNDUwYjcxNjUwNS5qcGcgSFRUUC8xLjENCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpIb3N0OiBwaWMuMWt4dW4uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANClVzZXItQWdlbnQ6IG9raHR0cC8zLjEwLjANCg0K"}
 01062{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385176795709,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":207,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385176795709,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38316,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"pic.1kxun.com","http": {"url":"pic.1kxun.com\/video_kankan\/images\/videos\/40701-8fa7d916c55e31f90fa55f450b716505.jpg","code":0,"content_type":"","user_agent":"okhttp\/3.10.0"}}}
-01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":141,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":28,"flow_first_seen":1654385136206220,"flow_src_last_pkt_time":1654385176599830,"flow_dst_last_pkt_time":1654385177114485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":23040,"flow_src_tot_l4_payload_len":838,"flow_dst_tot_l4_payload_len":163493,"midstream":1,"thread_ts_usec":1654385177114485,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3011180.5,"max":39119714,"stddev":10152453.0,"var":103072311279616.0,"ent":1.3,"data": [353699,3771,104,303718,4300,92,205833,106,880957,368900,1,5053,392939,352227,1591,70,2344,55,1451,285655,2146,39119714,38675191,1,2923,335353,3681,0,0,0,0,0]},"pktlen": {"min":273,"avg":5201.3,"max":23106,"stddev":6479.7,"var":41986288.0,"ent":4.1,"data": [278,386,1506,1506,10146,2946,2946,23106,1506,1506,1172,273,386,18786,7757,278,387,1506,21666,4386,17346,4386,10146,5826,1506,5159,273,388,1506,11586,2946,2946]},"bins": {"c_to_s": [0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":141,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":28,"flow_first_seen":1654385136206220,"flow_src_last_pkt_time":1654385176599830,"flow_dst_last_pkt_time":1654385177114485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":23040,"flow_src_tot_l4_payload_len":838,"flow_dst_tot_l4_payload_len":163493,"midstream":1,"thread_ts_usec":1654385177114485,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3011180.5,"max":39119714,"stddev":10152453.0,"var":103072311279616.0,"ent":1.3,"data": [353699,3771,104,303718,4300,92,205833,106,880957,368900,1,5053,392939,352227,1591,70,2344,55,1451,285655,2146,39119714,38675191,1,2923,335353,3681]},"pktlen": {"min":273,"avg":5201.3,"max":23106,"stddev":6479.7,"var":41986288.0,"ent":4.1,"data": [278,386,1506,1506,10146,2946,2946,23106,1506,1506,1172,273,386,18786,7757,278,387,1506,21666,4386,17346,4386,10146,5826,1506,5159,273,388,1506,11586,2946,2946]},"bins": {"c_to_s": [0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00958{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2093,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":169,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176794071,"flow_dst_last_pkt_time":1654385177118137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":387,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":387,"pkt_l4_len":353,"thread_ts_usec":1654385177118137,"pkt":"nLbQ0+MztKXvZygQCABFAAF1WjBAADYGAHGsaXlSwKgCfgBQlbaIVDfjwISJoIAYAOs4SwAAAQEICsmibd\/ytbleSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDg3MzAzDQpMYXN0LU1vZGlmaWVkOiBTdW4sIDI5IE1heSAyMDIyIDAzOjI3OjU1IEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KRVRhZzogIjYyOTJlODNiLTE1NTA3Ig0KRXhwaXJlczogRnJpLCAwMiBTZXAgMjAyMiAyMzoyNjoxNiBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9Nzc3NjAwMA0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0K"}
 02534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2094,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":169,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176794071,"flow_dst_last_pkt_time":1654385177118137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177118137,"pkt":"nLbQ0+MztKXvZygQCABFAAXUWjFAADYG\/BCsaXlSwKgCfgBQlbaIVDkkwISJoIAQAOsFsgAAAQEICsmibd\/ytble\/9j\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APgjVdV+IGpeNdTTTtd1OT\/iYShQt3If4z715latCnfmZ4ajObaSOi0zwV+0DrcSLpOm67cMW4EbSsen1ryK+aYKk\/enY7KeExc0rRubK\/Ab9smSMS2nw88XzK33THaTNn8jXGs\/ytys6y+86P7OzBL4GMPwE\/bXkJVfhP44LDsbGcVX9u5Zf+NH7w\/s\/MP+fbIJvgF+24fkf4R+NPqbWerWd5V\/z+X3g8uzD\/n2xY\/2Z\/24rhd0fwk8X\/iJB\/M0\/wC38q\/5+on+zcw\/kf3kkX7K\/wC3VOdsfwk8Xk9vmcfzapef5Sl\/GX4gssx\/8j+9Fgfsj\/t9Bdw+DnjFuP4Nzfyas3n2Uv8A5er8S1luYL7D\/D\/MY\/7Kv7e8QP8AxZTx6cf3LKdv5U\/7cyt\/8vl94\/7OzDrTZm3v7PH7cFqStz8GfiCCOv8AxK7v+grSOcZY9qy+8h4HHL\/l2\/uMq8+C\/wC2LaqWuvhV49QDqW0y7\/wrVZrlvSsvvM3gsb1hL7iinw2\/aqlk8qP4feOGbOCF066OP0qv7UwCX8aP3oSwmLf\/AC7l9zNTT\/gP+2Hf\/wCp+H3i9Af+e6yR\/wDoRFc887yuG9ZfI1jgMa1pTZrWv7Nf7Ygw8nhfX4x3Mt2ygfiWrlnn+WW0maLLsd1gXrb4P\/tRaU+24stVJHUJflz\/AOOk1xTznLpbTf3MpZfjVo4\/idL4f+HH7SdyQh0LWyfe7Kj\/AMeIry6+cZf0q\/mb08vxr3j+KOx0n4QfH3CreaPrKE9N2oqB+r1xf2vQl8E2\/lL\/ACOlYKUfjVvmv8zft\/gv8cXj\/d22ok44X+2IM\/8Ao2iOOnLbm\/8AAZf5DdKnHeUV\/wBvR\/zKOq\/Aj9qa4UjR\/C\/iCcnp5N3E3\/tWuunjacfjbXyl\/kYTo8\/wST\/7ej\/mcN4r\/Z4\/bdTcYfhb44kHP\/HvbNJ\/6Cxr06GZ5fH4qn33OWeDxTeiv81\/med+IPhH+2JprN9t+FfxCjx1zpNx\/SvUpZplb\/5fx\/8AAjllgsd\/I\/uOR1fSf2hdLYrq3h\/x"}
 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2099,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176794172,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":388,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":388,"pkt_l4_len":354,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAF2wDBAADYGmm+saXlSwKgCfgBQlar6OK3h5ubbqoAYAOuKlwAAAQEICsmibeLytbleSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDEwMzg1NA0KTGFzdC1Nb2RpZmllZDogU2F0LCAwNCBKdW4gMjAyMiAwMzo1OTo1MiBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkVUYWc6ICI2MjlhZDhiOC0xOTVhZSINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjY6MTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNCg=="}
 02495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2100,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176794172,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAXUwDFAADYGlhCsaXlSwKgCfgBQlar6OK8j5ubbqoAQAOs8UgAAAQEICsmibeLytble\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APxm8Z+KPFA8aauF8RX5zqlxgfa34HmMPWva0SR823uUD4p8UeWNviO+GOn+mPz+tLqTd3BfFXipSR\/wkl\/06fa3\/wAabsK7uTR+K\/FH3P8AhI73noftb\/41DsldibZctvF3iaPKSeIb\/pwftb\/41zVUnaxzO7LcXirxJIgP\/CSX3TnN2\/H61jsYzukWIvFfiZo+PEN8M4GBdP8A41EtGZ3d9x8vizxTH848SX3A6G7fA\/Wkkrm8dI6CL4u8Sn5h4jvlzgEfanyf1pNPYtPTRmlZeK\/ErbR\/wkl\/nop+1P1HXvXLO97vQjmfNY6Xw\/4p8TPEWOu3j4bORdPn68mvPrNc9jKpJy0O68NeKPEWVjbxDeYQggi4bJPX1rzar3aMndPc7jSfGniSCBJjrV0V6BTOcrng\/XNedUTlawc0rXuXLXxnrZxI2vXPyqRlZW2j8M1nOMkXGavqdV4N8Z6+t5GravdOAAxzOcZPTvxXHXU+VibZ634Q8ZavqN8LY6jcCIJl5ROc9O\/0rxsQpKO4Jytub8PxJu7nWrdI9SuOCY2UznBHY+3SuKanGDuxqUl1Pdfhb4r12LS4rl9SeQXUiR4LdBnkGvn8ZKTd0\/xYnJoufGzxJrcdpLNbajKI44huEa\/Nwfu5\/KuGlzd2\/mEHd6s8ni8fa1bJ9pm1abMnDDfg7v6cVpNVHLe3zZ0atrUhPxD1GS3aa31W4eXac7nwWHehc\/Nq3+Jeq0uaXhH4i67Ff2oTVJZGJ3bSxyPcn29PaionOD95\/eVd9z6h8E\/Fe\/n8GRG3uTvdcbUQbgSOSSeg614FeNVS3f3stylyo5nXviX4pgmaZtUUCMHG3A2+xHauCvKd7OT+9kx5m\/I6Pwj8X4odCtr3xTdxutwTsdSDg\/3fbiuVxqybs397HCN3ZnoPg3x7jT0utNuo\/LaTa+1QBjt1715OL9onrJ\/ezohLl2PqH4J+JTrXhiNjKrlMKxVQOa5cBXqwxNuZ\/efX5LUU6Lj2Nb4k67Ho+hPdTSIc"}
 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2103,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":388,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":388,"pkt_l4_len":354,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAF2OPRAADcGIKysaXlSwKgCfgBQlawVUlUq+Pyij4AYAOskNgAAAQEICsmibePytblgSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDExNjQ1NA0KTGFzdC1Nb2RpZmllZDogVHVlLCAyNCBNYXkgMjAyMiAwMzoyODozNyBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkVUYWc6ICI2MjhjNTBlNS0xYzZlNiINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjY6MTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNCg=="}
 02498{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2104,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385177120454,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177120454,"pkt":"nLbQ0+MztKXvZygQCABFAAXUOPVAADcGHE2saXlSwKgCfgBQlawVUlZs+Pyij4AQAOvAhQAAAQEICsmibePytblg\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/AM3xD4j8QR63dH+1L3ck7AhpTgjPBPp9a\/VPccFof5r162IeInzSlfmfV935klt4p8UWcKZ1e5k3sD5byHgdiM9Ki0XpY3p4nF04JqUtfN\/5kWoeK\/FN8+06lKMqeFmI9\/XkU1GNtjSWKxMre9L73\/mVZ\/FfiJIVhGrTjBypM5IH5UcsexMq2Itbmd\/8T\/zHjxZrAsGh\/tq4Eh6l5zkH+tCjFO9ivb1fZNObv3u\/8xfDesa7dXksk+szZhQBczHkk9+4470q0o2VkVgJ16lV3nLTzf8AmdDFe+IrjJfVroKgIGJSFJ9Ov6elcz5bbHt0nXvrKX3v\/MxvH2reIn8O3E66xdI1tiSOQzkHk8qPY56VVGSjOyW5GL9q8O5OUtPN\/wCZ523jPxLMm0+ILsqByDM3ynOeK6ZKDd0jx1VxCfxy+9\/5lC48T+JplCrr13ye07c+3Xilyx7HRDE1oy1nL72UbvXPEka7pPEV4WzgkXDf40nCL6HbDG4iX2397\/zMy\/8AFHii1yo8S3hJ4P8ApLcdfek4xS2O+jiK1RfE\/vf+Zz2oeLfFKsVHiC8JP3Nty3Hr0NZ8sb7HqUq1a1uZ\/ezNuPF3ifcT\/wAJBfjjki6b\/GjljfY7KdWra3O\/vZTbxZ4tdhu8R3oPQK10x4\/OhxS6HWqtRbSf3sp3HizxZsGfEN7gc83b\/wCNRKMexvGtUT+J\/eyrc+LfFrMWXxHfZwMf6U3T86nlj2OilWqcvxP72VX8V+LSPKl8RXxXA4+0vyc9eDRyx7HTGtUvpJ\/eyC68YeKVk\/d+JdQjAXDbLx8n8CaOWL6GsKtXl1k382UZPF3jEyYPjLUeucNdMQP1qOWK3R1Rrzt1+9kT+KfF8YP\/ABU92TnJH2t846etLkS6Gyrzl9p\/eyGTxV4uljUQa\/enqWzev19Ov+eKlxT6IpVpqWsn97M6bxP4uZR\/xUWolif+f5+ffrWbp0+qOyFeo38T+8py+KPFyqsv\/CUamoYEjdeP\/Q0nSp9jup4yq7q\/"}
-01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385176794172,"flow_src_last_pkt_time":1654385178155648,"flow_dst_last_pkt_time":1654385178652815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":414,"flow_dst_tot_l4_payload_len":190898,"midstream":1,"thread_ts_usec":1654385178652815,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38314,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":128804.8,"max":1361476,"stddev":284817.3,"var":81120911360.0,"ent":2.5,"data": [326102,180,328843,179,2720,177591,469,1313,2855,118,155,777,2306,401346,1361476,293524,1,1093,2137,2758,88,201,2770,309632,1485,0,0,0,0,0,0,0]},"pktlen": {"min":273,"avg":6044.5,"max":15906,"stddev":5319.9,"var":28301384.0,"ent":4.4,"data": [273,388,1506,1506,2946,7266,1506,8706,2946,15906,1506,1506,4386,13026,8706,2946,1506,15906,13200,273,388,1506,5826,15906,11586,10146,4386,14466,2946,2946,13026,4386]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385176794172,"flow_src_last_pkt_time":1654385178155648,"flow_dst_last_pkt_time":1654385178652815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":414,"flow_dst_tot_l4_payload_len":190898,"midstream":1,"thread_ts_usec":1654385178652815,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38314,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":128804.8,"max":1361476,"stddev":284817.3,"var":81120911360.0,"ent":2.5,"data": [326102,180,328843,179,2720,177591,469,1313,2855,118,155,777,2306,401346,1361476,293524,1,1093,2137,2758,88,201,2770,309632,1485]},"pktlen": {"min":273,"avg":6044.5,"max":15906,"stddev":5319.9,"var":28301384.0,"ent":4.4,"data": [273,388,1506,1506,2946,7266,1506,8706,2946,15906,1506,1506,4386,13026,8706,2946,1506,15906,13200,273,388,1506,5826,15906,11586,10146,4386,14466,2946,2946,13026,4386]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385181857708,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":409,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":409,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":409,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385181857708,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.117.221.10","src_port":59324,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01077{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_packet_id":1,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":475,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":475,"pkt_l4_len":441,"thread_ts_usec":1654385181857708,"pkt":"tKXvZygQnLbQ0+MzCABFAAHNXapAAEAG0trAqAJ+aHXdCue8AFBxmTfMTd+OWYAYAfYKZgAAAQEIColJBIxVzQaLR0VUIC9zZGsvdnBhZG4tc2RrLWNvcmUtdjEuanMgSFRUUC8xLjENCkhvc3Q6IG0udnBvbi5jb20NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChMaW51eDsgQW5kcm9pZCAxMTsgc2RrX2dwaG9uZV94ODYgQnVpbGQvUlNSMS4yMDEwMTMuMDAxOyB3dikgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgVmVyc2lvbi80LjAgQ2hyb21lLzgzLjAuNDEwMy4xMDYgTW9iaWxlIFNhZmFyaS81MzcuMzYoTW9iaWxlOyB2cGFkbi1zZGstYS12NC42LjQpDQpBY2NlcHQ6ICovKg0KWC1SZXF1ZXN0ZWQtV2l0aDogY29tLnNjZW5ld2F5Lmthbmthbg0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC45DQoNCg=="}
 01212{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385181857708,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":409,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":409,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":409,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385181857708,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.117.221.10","src_port":59324,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"m.vpon.com","http": {"url":"m.vpon.com\/sdk\/vpadn-sdk-core-v1.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36(Mobile; vpadn-sdk-a-v4.6.4)","detected_os":"Android 11"}}}
@@ -1017,11 +1017,11 @@
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385184982489,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":1,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":328,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":328,"pkt_l4_len":294,"thread_ts_usec":1654385184982489,"pkt":"tKXvZygQnLbQ0+MzCABFAAE6JG9AAEAG2MrAqAJ+EkBnHo80AFAYADoNP4BZp4AYAfY9sQAAAQEICpxRp3YAJw3ER0VUIC9ydi9lbmR2NC5odG1sP21vZj0xJmVjX2lkPTQmbW9mX3VpZD05MTE5OSZuX2ltcD0xJnVuaXRfaWQ9ODg4MSZzZGtfdmVyc2lvbj1tYWxfOC43LjQgSFRUUC8xLjENClVzZXItQWdlbnQ6IERhbHZpay8yLjEuMCAoTGludXg7IFU7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMSkNCkhvc3Q6IGh5YmlyZC5yYXlqdW1wLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwDQoNCg=="}
 01151{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385184982489,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"hybird.rayjump.com","http": {"url":"hybird.rayjump.com\/rv\/endv4.html?mof=1&ec_id=4&mof_uid=91199&n_imp=1&unit_id=8881&sdk_version=mal_8.7.4","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001)"}}}
-01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2368,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":182,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184927393,"flow_src_last_pkt_time":1654385184927393,"flow_dst_last_pkt_time":1654385184996498,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":183,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":7140,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":129251,"midstream":1,"thread_ts_usec":1654385184996498,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.66.2.90","src_port":35664,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2559.4,"max":14880,"stddev":3288.5,"var":10814189.0,"ent":3.8,"data": [14880,612,571,2499,3579,106,930,2545,9210,1,87,6481,115,1571,2984,1607,79,1540,90,67,2792,6531,3088,2380,1844,2843,73,0,0,0,0,0]},"pktlen": {"min":249,"avg":4110.8,"max":7206,"stddev":1776.8,"var":3156934.0,"ent":4.8,"data": [249,797,1494,2922,4350,4350,4350,4350,2922,1494,4350,4350,2922,4350,4350,2922,4350,5778,5778,5778,5778,4350,5778,1494,5778,4350,2922,7206,4350,7206,7206,2922]},"bins": {"c_to_s": [0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2368,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":182,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184927393,"flow_src_last_pkt_time":1654385184927393,"flow_dst_last_pkt_time":1654385184996498,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":183,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":7140,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":129251,"midstream":1,"thread_ts_usec":1654385184996498,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.66.2.90","src_port":35664,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2559.4,"max":14880,"stddev":3288.5,"var":10814189.0,"ent":3.8,"data": [14880,612,571,2499,3579,106,930,2545,9210,1,87,6481,115,1571,2984,1607,79,1540,90,67,2792,6531,3088,2380,1844,2843,73]},"pktlen": {"min":249,"avg":4110.8,"max":7206,"stddev":1776.8,"var":3156934.0,"ent":4.8,"data": [249,797,1494,2922,4350,4350,4350,4350,2922,1494,4350,4350,2922,4350,4350,2922,4350,5778,5778,5778,5778,4350,5778,1494,5778,4350,2922,7206,4350,7206,7206,2922]},"bins": {"c_to_s": [0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 02473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2407,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1494,"pkt_l4_len":1460,"thread_ts_usec":1654385185015621,"pkt":"nLbQ0+MztKXvZygQCABFAAXIXwoAAPgGIaESQGcewKgCfgBQjzQ\/gHc7GAA7E4AYAINkpwAAAQEICgAnDeicUad2RWsIZamOljqm7gSNKAkXQCu+hVDQvHNR9FYzcLa6bcMwfHz8+6Ohpq2yX4VCM8MnePOCbl7QzQu6eUE3L+jmBd28oJsXdPPvCN38HeCm8Yfm\/kvPR3Dz+vd\/+5\/+qz\/+F\/\/73\/yP\/8vf\/ov\/+v\/+3\/7l3\/xn\/\/nP6n\/VjBMyedbYcXZ\/o\/OF7mdeh9Hhr\/RfIfMv43vvKuRdCur\/FFM9E59fEn2SOA2NKnl1bdNivqb2mOXNXHq1\/YMX1\/Ovvr+Ls8avbLeJu\/n+XUe8voOwYRiE416SRHkHbuH3JI7AK5hcYzixRhEYhd8jOEmi6zWCkdiKXBEYCfi+gog\/Et\/23iV5mL96vr5z8qbJ03dVHEbNXOMfCP\/4uyrDZ\/hnarl7h38mQu9N1tzbJ+HHYOnfwgd4YKemZxmEk6Yfkz3lh\/aJu5CbeloHFbHt+TJXIpxmxZgsZHiRMOZFvKzyDdgT70P7AneujlPtVyx1Ci8u7Wd7MtsuMwhfTyvOMfV9uKfpBVoFiWcijlTzRwo97G1lTY77npOvQt2eMaaQrdoht73lsx1+nZwlg+BlIhnXXbgLsHWy5C\/CTrdrpvOys4hB5bmgib5vMJLqdEuhL1RVueIWhr1W24corWULSQqDfGNsr1HdHI4FJV+WwuEwhjFLFwqL5Xy27akNzx1XpbTfbywRws5chR\/VzSRUHZ82JFfLUbM21UlmqXQlB5CS01wcLs0xrplUXKuatlxW\/JnKqnFYcvIJ+HnXlDQp0jzZWW7b+IreDkRwtvod2OSadqez+8PJQr11ODo3W9Sq9lB21UYv1nbZnPkKxY3GO2VJgKi3y86OY2lDWQkA3y1giPPL0I8WU8XJRBa7HXzc3Kr4uITR5JDT0WTaYXbC9v5VWfTptvCOnVLv18ciGZlm2dHCfrfBJ8PAq77hGFHEh2RHh+SoYiYL45XZJMJ1SZZMbDASfdSvphUfow01aDWyqsWVpJirq1bhq16jM844FVx6sRj6QlADNWTuRMUGtyRUymqEmNkJt0Yb1N1graqbbda1j4vrOEyE7tb2An3aY8uYGHAX8\/rsNN6gbsLJaXGuswDrrwixB2A37Y+RJEMuQhm9tVPq3bKPTkuFNlJk4shWDhxGJ4gRxe1aHQH+OdOeb5ZAybp4QOtbdJVZhbI7fRHTpmi3Db68nJpjZBHlst+pE6dd\/auVOTRGjFYfMxlXYZeV5CtjfADQStuORhXR14nj+JExkEESLQhVIgsxAsrbUusYDOsmiIS0OxhmECNGsnePTqNm9Ybk0jiCIUUMk0Q6bo9XikfzcXHRxBU2KhFA7wFnV9mu0s+4T+Cmvs31pVGdu01zTdMqOQbatST8XeSiGb9xLLVobbjVxgASHcVY6Z0cEk1Zw70WhNMSziSBuvEt6nPBEkkYPUs89VCHjedyHoevTwhpwRtTvVC9cjscTpkEl70Q5ZcEM0iBVlOrZshoxaxTCyVqkcFaQaTJND7qiruC9vSgHxhROJty2frJRGcUkW\/T8bzArQu62Aj8pZfq5WnpurUmhYNXBBstPB0HdLEt67HP9CUNcHaVL\/py5Tv+IiqnHSGMtLAtT2aEyysT7VlU2B1c0UynpCL4dONoCBQZiWBCCob59IQIU9r6hD5FW92974pfH398cuCh13wO5v+Bzpq+x4zOk7NmVkyoZTPht8XqNPclVgd+dr30ls5urO+xrXKEf+KEQVxrl2X5Oea+B7dP8f2vfeAhlpy7jKenuJahub4U2SPWInq+hVn3Kp7Xjnw5Mt72ttIa3qJmWSX5OaelWMO1q4cTtae5TXSrzL1EZlCA5nHYN3tCgikSvSDqTjQq48xf4eq4x89aD51T5RZZJ\/zYX3eIruVriHTZcy9vlhIyXU6UT8Gkvj5OMbHU"}
 04501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2408,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":3,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2922,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2922,"pkt_l4_len":2888,"thread_ts_usec":1654385185015621,"pkt":"nLbQ0+MztKXvZygQCABFAAtcXwsAAPgGHAwSQGcewKgCfgBQjzQ\/gHzPGAA7E4AYAINH0wAAAQEICgAnDeicUad24XFtV7Rg10duU4UTlxkMf+4hbiOeKWSTGwnHrK\/bcVHDmrmHVT1QbFoe9jUro5dI5TdYvpHS0y1rjoh+0U3zcCtX9rblxRoi5FhuCbqzSJTCJ\/SCO4zZZSPYNE6w5HSVgAaV0y2oWClZOTWZhlvMk\/XLRpM2IbCWurCzT+9+nnf\/OWUMYJ35yVcMM8b6\/R\/\/1f\/5x\/\/+v\/rM8TWeCOPgXR\/Wn9HNbJqvANEK619BcRX6k+IzZvpCAIbt5MNPYdScnyfOCY1\/TyD1rf7duf9o+anpe+Lk86r6HoqW4GHx6Znn1+7nR8VPBz8nS9L5cAeE+tP9z7LkZg6+ssfPLHPhW3ltM+PZT5K8\/\/msfZakyRs7mbt7Xv7\/5l\/\/85\/obM72VPyqzrNvqjRrU2d+wff86N\/86\/\/y1dOAvpLFbex7cuAdHr+ancs7IF7TArMobu\/azMv7LMnv2ZI\/Gupcy2kBmgQdfr79Efcrp\/mm7gDzHc7PmZXzYaydhcl9sn\/Bdl7f8evdzu42\/KM6\/2CPyGFz2XrOAlzQ68abCb\/NI1L4Z494f\/7\/wYeXvY12b\/v45AFpVjEKiukvMgW7N34KJ1mHT5uII8wicQAf7cIJq5oahpZLfYWtbiLN8Nh5vTFcczsoLYRSQOpr5+wJefBB0Bcjqs8OVij5zI4Q8US3kT6+pov1ZlWX1ZbBLAo\/CWVvJs7o7OLKwNZicOUC1akI83ha4yIZMssUw8P1miwuy6UgRf4eU5Z4nB6XmLKp3MOmhnDsUnscvDaHlhO5ju5pELGc1S1KGIjCWSnZkCldR8tC3DNDZhx2FKPl6Ci6COlwEwia\/ctaSG\/KNTGIWOI6zxgGatnGGthaTk1Dl52EoUGrXjVsYFdBMq6zs3e4rH0Kz4xNdXR5SSjlJSGkp+XAetsK67orj5IjKZ9wGSH8hV8441VbQeRVqYj9GmcyBGz12el6BMEvIWJjscDyTLrh3gbg\/hA7bG\/IFWoEHieVcL0Fga3fQZtUIvBGrA4DAHWEdWYmHNmovkcclhbSpgp39QFulyfMoKwtehAkztJTKuJ6VmqPjURtjSFB1eFWH1Yc7LQ6dAu7tRLspVXE29p+fTlt3DU5BIU4qVWEQhjVxOQJJno\/tO47JaUb5kHb4cxZFH\/xjOAXlxRYQ3maguAXxIPDq5+U3s2e6xvHBz+qA9znj+qA0r3OzF78\/m\/\/m3\/x5GWK3\/9f\/8f\/9On2j\/\/DZ+rf\/K\/\/8y+4ISevvLvD+vmDL13\/qNtPXbbJM1cS1\/MvdrRzDv0vjv8pQXvOIP9JD\/cE7a+oLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwna3zq1eknQnu9fUpheUpheUpheUpheUpheUpheUpj+Q0th+u1o6CVB+wXdvKCbF3Tzgm5e0M0LunlBN\/8+oJu\/A9z8u0vQrpCfFX85I7tCnPBbGSm\/lk30zbTs9WqNEysUXZM4hpMYDijwEhBJBF+uEHC\/esnKvn9esrJfsrJfsrJfsrJfsrK\/dtYvWdkvWdn\/qKzsr2DFb8iy\/jbI+v87\/boZGvre\/q+mYD9X+y2Z2M+J2D+hfcm9nhP5\/pG515+TmJ\/6\/\/ct9fpHOdZMY39Dhb8G6D\/nW\/8jnNtLgvVLgvV\/PAnWP1o8\/7C\/j\/GrCdn3b9X++rjgVxOy5zr\/lhOyP3X5907ILoBTEbN4znv+kQ+d\/VichUew\/T3fvn\/\/\/udb4HMLzxvoT2hNXDD+vDu9qpsx8R\/BjlUk9vhhnsjPvM9fbh60mXtP2067WZA3b3\/43ScSuJ+\/Jh1o\/589f\/f5q7983TbBO\/IvX383f1X7D26e5NWHfwLD8Hfzt4KHVQ4c8Yd\/EgTBd\/P3kwdgm3k3fgA95Uny3bved25AP7N3flfHk\/\/O9q5t3XxAYPiffvcurb\/95OP9S+H\/7Ie8bRKwU3yAf7mheXxfntrFuygOo2R+sfDuSdIqdOw38MP939t7ww\/zd6D\/EIBt6F1gp3ECpLWz+l3tV3HwcX72AGbrwUsevObB8x7a5CFPHpL4IUIeIvQhWj5E2EOEP0Srh6LyH9zc8x+CvEofgthPPDBjD4kfAgt5iLOibR5mie3Ktx+KByfJ3VvZ5o3\/0EQPjfcQVQ9Pm9mDXTWxm\/gPdh2D5jwf7JBJDVoMXbuY9TLfttXcEahdPcxoZb7Ms188AHtsHzK7e6j9uxJ\/SO0qjDMwbYXtzab0Af74JEztJ4Dls0xPkzBP59O0NzPI+eFpHczTl9hF7X\/4dPPd8wNgk+5To59HDLbN52qAajtO9WADA8jG9DP1u3tXwLZiO5u1VqV28tHzkx\/uGvXAsqruh4EfZoW\/ayIwsDD6CMSv\/Lp++DQLbtw8z7gXZA9+Os8jaPN5HLPhPzf91F3vz4bwAYfhj0CFbfLDvEY\/82X+x0\/tNtGTHDawHCCCHzQfv9L2zybrqx7KD44P7MB\/KD\/YAVDSD89\/3+DDn\/7px7p1Huq2+FETBP5Pv7sPNXpqAegqr+P7DFR+Ys8I8zuwnIBV2MmzWDMImat8nFtq8uLDu\/e4n85t\/\/D0Qg0Q0Jlif4jmpfjV1IKF6lf3FuKsfrC\/en6fktcP8aOXuy0wqua9C4yk8dnEn0tvXt9n7vXb7+LgzWeW0G+en9f0eLRD2U79N3c4\/frtX8B\/9d4uCrAYmChOvDfx24f4\/b0RPfL95u2PC++fMbb313\/95id0t67nt6yPzdvv\/KT2XzXV+EP8\/v4HGua3lI8N0GLjRm\/8t5\/IT+wfP755+\/DZr8UP4Plnxzf7vNnP+Y\/VPAB69mHApJlkPuHSwBJ58\/Z9H3tN9B2Owd\/7UP0nf\/LGfwT3f1a\/\/e7JQfoQAn9XPQn6ftarDtT62CxeF8Prh\/R95aeP8f3\/5uNcASxxUP40aw\/Vo\/258Dx9Dzmgla1fjfp9lebVmz9NgSP4iwzM6OPrLvb7+57zV3\/69iH5VdYg8YcYTOWdtX6EHzzwkz4CMZ8fgCn+Unj84eNdo\/nTlLiP+TwlVNNUMXBOQJfPdvz67fv0PtFQDDaN2E7+8l0NjNN\/fPMXf+n95fu\/WryF3n7ngomatziwc3BgH2veuH+B\/NUsxJ0kAiNCIO\/t2493TYJOk6dOo8fklzqdRYueuIrH6CsRvKL6sQAPwRee1B7itE2\/4vmuAEI+S\/QkZHEX8idyAznrt++bnIsH33uDvn0Lmv55teC3VPv4EQzgd8CAfuc9jaJ9BPYNvHUc2kBx8\/owQWgFrPKT3HbmVXnsQeF9ufwaZ3z\/Qy4z49sHZzYvv4tdXwF9J9q8pL\/zHhEIyNz++fL7RweI\/7v6r\/8a3NZv\/3z5Af1CQu8k9APyAXk7iwvM+ifKuAdqYBZfP9RvH36XvwUsb2Zr\/Zl7mE3w9du3P6s82+Trhy\/2+\/Yh\/xnHJ10\/vH5W67NhvV54i9cPr571+DMiYP2K2Nbz9gQosyN5zHLQV\/U+iKv60xq7u6G336D9xE3lT57mrq3w62ECdADMMvxZlQf7fV+B7elN+MU3gcl8D7YwtgP1JLD1+ID+BqDJeQd4\/cU3vf0BbP12dYxTHyCeN9nbh+wRzNCncvOwhAF0efgdMtvD1+3NgLKO8v5HLQJf578vZmMBTB7Q8m\/o4LkHoI20SPzGf\/34CMYOhu6N+hxf\/7n9fgZHP\/d4CPpn9d3pfbC\/IdvmsJ\/fwcw0gGp97yej\/jsafJIHuGLgTuclHN\/\/r+\/ONQCTGGmz"}
 01165{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2408,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":2856,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":4284,"midstream":1,"thread_ts_usec":1654385185015621,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"hybird.rayjump.com","http": {"url":"hybird.rayjump.com\/rv\/endv4.html?mof=1&ec_id=4&mof_uid=91199&n_imp=1&unit_id=8881&sdk_version=mal_8.7.4","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001)"}}}
-01739{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2427,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":185,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184944474,"flow_src_last_pkt_time":1654385184944474,"flow_dst_last_pkt_time":1654385185026289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":497,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":497,"flow_dst_max_l4_payload_len":5712,"flow_src_tot_l4_payload_len":497,"flow_dst_tot_l4_payload_len":108528,"midstream":1,"thread_ts_usec":1654385185026289,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36640,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":3272.6,"max":21003,"stddev":4960.2,"var":24603724.0,"ent":3.6,"data": [21003,154,129,3134,1686,3067,15801,2210,2030,2737,73,1485,603,2873,1573,1531,81,114,3525,1587,2816,10499,1437,55,1612,0,0,0,0,0,0,0]},"pktlen": {"min":563,"avg":3473.0,"max":5778,"stddev":1697.9,"var":2882863.0,"ent":4.8,"data": [563,1494,1494,2922,1494,2922,1494,4350,4350,4350,2922,1494,4350,1494,4350,4350,4350,5778,5778,4350,1494,1494,1494,4350,5778,5778,3214,4202,5590,1538,5778,5778]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2427,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":185,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184944474,"flow_src_last_pkt_time":1654385184944474,"flow_dst_last_pkt_time":1654385185026289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":497,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":497,"flow_dst_max_l4_payload_len":5712,"flow_src_tot_l4_payload_len":497,"flow_dst_tot_l4_payload_len":108528,"midstream":1,"thread_ts_usec":1654385185026289,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36640,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":3272.6,"max":21003,"stddev":4960.2,"var":24603724.0,"ent":3.6,"data": [21003,154,129,3134,1686,3067,15801,2210,2030,2737,73,1485,603,2873,1573,1531,81,114,3525,1587,2816,10499,1437,55,1612]},"pktlen": {"min":563,"avg":3473.0,"max":5778,"stddev":1697.9,"var":2882863.0,"ent":4.8,"data": [563,1494,1494,2922,1494,2922,1494,4350,4350,4350,2922,1494,4350,1494,4350,4350,4350,5778,5778,4350,1494,1494,1494,4350,5778,5778,3214,4202,5590,1538,5778,5778]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00757{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2503,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":180,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184845262,"flow_dst_last_pkt_time":1654385185166661,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":236,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":236,"pkt_l4_len":202,"thread_ts_usec":1654385185166661,"pkt":"nLbQ0+MztKXvZygQCABFAADe9z5AACoGBubKmcQ1wKgCfgBQ5Ybmg6trug1byIAYAPOTtwAAAQEICkyTXI+9cmjoSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xDQpWcGFkbi1TdGF0dXMtQ29kZTogLTI2DQpWcGFkbi1TdGF0dXM6IE5PX0ZJTEwNClZwYWRuLVN0YXR1cy1EZXNjOiANCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI2OjI0IEdNVA0KDQo="}
 00758{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2504,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":181,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184857770,"flow_dst_last_pkt_time":1654385185942149,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":236,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":236,"pkt_l4_len":202,"thread_ts_usec":1654385185942149,"pkt":"nLbQ0+MztKXvZygQCABFAADeE\/tAACoG6inKmcQ1wKgCfgBQ5Yg8Z0+pmkmYKYAYAPN5zQAAAQEICkyTX6y9cmj1SFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xDQpWcGFkbi1TdGF0dXMtQ29kZTogLTI2DQpWcGFkbi1TdGF0dXM6IE5PX0ZJTEwNClZwYWRuLVN0YXR1cy1EZXNjOiANCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI2OjI0IEdNVA0KDQo="}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2505,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":188,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385229374771,"flow_src_last_pkt_time":1654385229374771,"flow_dst_last_pkt_time":1654385229374771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1440,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1440,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385229374771,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"52.29.177.177","src_port":37100,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -1147,8 +1147,8 @@
 ~~ total active/idle flows...: 197/197
 ~~ total timeout flows.......: 20
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6507383 bytes
-~~ total memory freed........: 6507383 bytes
+~~ total memory allocated....: 6506595 bytes
+~~ total memory freed........: 6506595 bytes
 ~~ total allocations/frees...: 126674/126674
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/443-chrome.pcap.out b/test/results/443-chrome.pcap.out
index 90a077be6..43bcb9e63 100644
--- a/test/results/443-chrome.pcap.out
+++ b/test/results/443-chrome.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037722 bytes
-~~ total memory freed........: 6037722 bytes
+~~ total memory allocated....: 6037718 bytes
+~~ total memory freed........: 6037718 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/443-curl.pcap.out b/test/results/443-curl.pcap.out
index 9e87bc46b..5fb03a6fe 100644
--- a/test/results/443-curl.pcap.out
+++ b/test/results/443-curl.pcap.out
@@ -7,7 +7,7 @@
 01046{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120512991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581113120522725,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01106{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120563403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581113120563403,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01308{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120564527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581113120564527,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}}
-01704{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121447770,"flow_dst_last_pkt_time":1581113121447985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":899,"flow_dst_tot_l4_payload_len":10128,"midstream":0,"thread_ts_usec":1581113121447985,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62811.5,"max":784064,"stddev":190271.5,"var":36203257856.0,"ent":2.2,"data": [38692,38799,9627,47643,2769,1124,2,41874,4,11797,50900,31,39132,3,742,11,18,78,76,38549,8926,46564,784064,784044,367,123,462,127,121,240,248,0]},"pktlen": {"min":66,"avg":411.2,"max":1506,"stddev":558.7,"var":312115.0,"ent":3.9,"data": [78,74,66,583,66,1506,1506,197,66,66,192,117,123,66,66,119,122,108,133,104,66,104,66,281,66,1506,1506,66,1506,1062,66,1506]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
+01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121447770,"flow_dst_last_pkt_time":1581113121447985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":899,"flow_dst_tot_l4_payload_len":10128,"midstream":0,"thread_ts_usec":1581113121447985,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62811.5,"max":784064,"stddev":190271.5,"var":36203257856.0,"ent":2.2,"data": [38692,38799,9627,47643,2769,1124,2,41874,4,11797,50900,31,39132,3,742,11,18,78,76,38549,8926,46564,784064,784044,367,123,462,127,121,240,248]},"pktlen": {"min":66,"avg":411.2,"max":1506,"stddev":558.7,"var":312115.0,"ent":3.9,"data": [78,74,66,583,66,1506,1506,197,66,66,192,117,123,66,66,119,122,108,133,104,66,104,66,281,66,1506,1506,66,1506,1062,66,1506]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00914{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":58,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121570392,"flow_dst_last_pkt_time":1581113121570364,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":65886,"midstream":0,"thread_ts_usec":1581113121570392,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00564{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","packets-captured":109,"packets-processed":109,"total-skipped-flows":0,"total-l4-payload-len":66816,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581113121570392}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -18,10 +18,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045770 bytes
-~~ total memory freed........: 6045770 bytes
+~~ total memory allocated....: 6045766 bytes
+~~ total memory freed........: 6045766 bytes
 ~~ total allocations/frees...: 121603/121603
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 1709 chars
-~~ json string avg len.......: 1066 chars
+~~ json string max len.......: 1707 chars
+~~ json string avg len.......: 1065 chars
diff --git a/test/results/443-firefox.pcap.out b/test/results/443-firefox.pcap.out
index 6f9b379ea..f1eea1139 100644
--- a/test/results/443-firefox.pcap.out
+++ b/test/results/443-firefox.pcap.out
@@ -7,7 +7,7 @@
 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488079587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581109488081517,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488123692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581109488123692,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01374{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488123785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581109488123785,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}}
-01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109490061876,"flow_dst_last_pkt_time":1581109490062194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1047,"flow_dst_tot_l4_payload_len":13867,"midstream":0,"thread_ts_usec":1581109490062194,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":130384.0,"max":1655693,"stddev":403949.6,"var":163175268352.0,"ent":2.0,"data": [38504,38612,1822,40006,4099,93,2,42327,4,2052,40671,32,38677,3,193774,83,215,231092,9994,47033,1655690,50,1655693,186,15,177,176,149,321,109,243,0]},"pktlen": {"min":66,"avg":532.7,"max":1506,"stddev":610.4,"var":372566.0,"ent":4.1,"data": [78,74,66,583,66,1506,1506,140,66,66,151,332,115,66,66,235,312,96,66,96,66,1506,1506,66,1506,1030,66,1506,1506,66,1506,1030]},"bins": {"c_to_s": [11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
+01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109490061876,"flow_dst_last_pkt_time":1581109490062194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1047,"flow_dst_tot_l4_payload_len":13867,"midstream":0,"thread_ts_usec":1581109490062194,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":130384.0,"max":1655693,"stddev":403949.6,"var":163175268352.0,"ent":2.0,"data": [38504,38612,1822,40006,4099,93,2,42327,4,2052,40671,32,38677,3,193774,83,215,231092,9994,47033,1655690,50,1655693,186,15,177,176,149,321,109,243]},"pktlen": {"min":66,"avg":532.7,"max":1506,"stddev":610.4,"var":372566.0,"ent":4.1,"data": [78,74,66,583,66,1506,1506,140,66,66,151,332,115,66,66,235,312,96,66,96,66,1506,1506,66,1506,1030,66,1506,1506,66,1506,1030]},"bins": {"c_to_s": [11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00921{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":316,"flow_dst_packets_processed":351,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109496480905,"flow_dst_last_pkt_time":1581109496480819,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":7675,"flow_dst_tot_l4_payload_len":406398,"midstream":0,"thread_ts_usec":1581109496480905,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","packets-captured":667,"packets-processed":667,"total-skipped-flows":0,"total-l4-payload-len":414073,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581109496480905}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -18,10 +18,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6062006 bytes
-~~ total memory freed........: 6062006 bytes
+~~ total memory allocated....: 6062002 bytes
+~~ total memory freed........: 6062002 bytes
 ~~ total allocations/frees...: 122162/122162
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
-~~ json string max len.......: 1721 chars
-~~ json string avg len.......: 1076 chars
+~~ json string max len.......: 1719 chars
+~~ json string avg len.......: 1075 chars
diff --git a/test/results/443-git.pcap.out b/test/results/443-git.pcap.out
index 29e4c3604..d228ad538 100644
--- a/test/results/443-git.pcap.out
+++ b/test/results/443-git.pcap.out
@@ -7,7 +7,7 @@
 01053{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657744320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581113657751016,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 01113{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657863699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1424,"midstream":0,"thread_ts_usec":1581113657863699,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}}
 01417{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657863749,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3550,"midstream":0,"thread_ts_usec":1581113657863749,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","server_names":"github.com,www.github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com","alpn":"http\/1.1","fingerprint":"CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84"}}}
-01699{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658139408,"flow_dst_last_pkt_time":1581113658139371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":850,"flow_dst_tot_l4_payload_len":8277,"midstream":0,"thread_ts_usec":1581113658139408,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32615.3,"max":143502,"stddev":53225.8,"var":2832981760.0,"ent":3.2,"data": [110467,110568,6595,119379,41,9,112809,2,11075,123994,112907,571,143502,5,142911,2,6496,2,14,6523,7,6,115,82,1242,13,1267,3,237,2,227,0]},"pktlen": {"min":66,"avg":351.8,"max":1490,"stddev":464.4,"var":215710.4,"ent":4.0,"data": [78,74,66,583,1490,1490,768,66,66,192,117,66,273,437,140,66,66,100,358,99,66,66,66,164,66,1465,622,66,66,1465,486,66]},"bins": {"c_to_s": [14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}}
+01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658139408,"flow_dst_last_pkt_time":1581113658139371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":850,"flow_dst_tot_l4_payload_len":8277,"midstream":0,"thread_ts_usec":1581113658139408,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32615.3,"max":143502,"stddev":53225.8,"var":2832981760.0,"ent":3.2,"data": [110467,110568,6595,119379,41,9,112809,2,11075,123994,112907,571,143502,5,142911,2,6496,2,14,6523,7,6,115,82,1242,13,1267,3,237,2,227]},"pktlen": {"min":66,"avg":351.8,"max":1490,"stddev":464.4,"var":215710.4,"ent":4.0,"data": [78,74,66,583,1490,1490,768,66,66,192,117,66,273,437,140,66,66,100,358,99,66,66,66,164,66,1465,622,66,66,1465,486,66]},"bins": {"c_to_s": [14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}}
 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":35,"flow_dst_packets_processed":35,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658456571,"flow_dst_last_pkt_time":1581113658456501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":881,"flow_dst_tot_l4_payload_len":31704,"midstream":0,"thread_ts_usec":1581113658456571,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}}
 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","packets-captured":70,"packets-processed":70,"total-skipped-flows":0,"total-l4-payload-len":32585,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581113658456571}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -18,10 +18,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6048149 bytes
-~~ total memory freed........: 6048149 bytes
+~~ total memory allocated....: 6048145 bytes
+~~ total memory freed........: 6048145 bytes
 ~~ total allocations/frees...: 121566/121566
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1704 chars
-~~ json string avg len.......: 1067 chars
+~~ json string max len.......: 1702 chars
+~~ json string avg len.......: 1066 chars
diff --git a/test/results/443-opvn.pcap.out b/test/results/443-opvn.pcap.out
index 807973ce0..1b31110f7 100644
--- a/test/results/443-opvn.pcap.out
+++ b/test/results/443-opvn.pcap.out
@@ -5,7 +5,7 @@
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1581153175528454,"flow_dst_last_pkt_time":1581153175550065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1581153175550065,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADYGAkzADMBnwKgBVASqzu1gWZU1YGtar6AScSBwigAAAgQFrAQCCAocQO0VFg2AOQEDAwY="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1581153175550155,"flow_dst_last_pkt_time":1581153175550065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1581153175550155,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+FPAqAFUwAzAZ87tBKpga1qvYFmVNoAQECwALgAAAQEIChYNgE0cQO0V"}
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153176603974,"flow_dst_last_pkt_time":1581153176626109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1581153176626109,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
-01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153177970762,"flow_dst_last_pkt_time":1581153177992252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":3196,"midstream":0,"thread_ts_usec":1581153177992252,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":158261.5,"max":1160659,"stddev":364282.7,"var":132701855744.0,"ent":2.7,"data": [21611,21701,1053819,1075076,968,22235,339,57386,57093,21241,11768,32975,174,239,20560,20491,9065,4,19997,11251,22162,19953,19952,207,21422,21230,137,58577,1160659,1122501,1313,0]},"pktlen": {"min":66,"avg":274.3,"max":1506,"stddev":407.4,"var":166005.6,"ent":4.0,"data": [78,74,66,110,66,122,66,118,66,387,66,1236,66,1506,118,69,118,1506,863,66,118,66,173,66,619,382,66,118,66,152,66,118]},"bins": {"c_to_s": [7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153177970762,"flow_dst_last_pkt_time":1581153177992252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":3196,"midstream":0,"thread_ts_usec":1581153177992252,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":158261.5,"max":1160659,"stddev":364282.7,"var":132701855744.0,"ent":2.7,"data": [21611,21701,1053819,1075076,968,22235,339,57386,57093,21241,11768,32975,174,239,20560,20491,9065,4,19997,11251,22162,19953,19952,207,21422,21230,137,58577,1160659,1122501,1313]},"pktlen": {"min":66,"avg":274.3,"max":1506,"stddev":407.4,"var":166005.6,"ent":4.0,"data": [78,74,66,110,66,122,66,118,66,387,66,1236,66,1506,118,69,118,1506,863,66,118,66,173,66,619,382,66,118,66,152,66,118]},"bins": {"c_to_s": [7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00913{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":46,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":21,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153184491293,"flow_dst_last_pkt_time":1581153184491180,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3974,"flow_dst_tot_l4_payload_len":4543,"midstream":0,"thread_ts_usec":1581153184491293,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":46,"source":"443-opvn.pcap","alias":"nDPId-test","packets-captured":46,"packets-processed":46,"total-skipped-flows":0,"total-l4-payload-len":8517,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1581153184491293}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039027 bytes
-~~ total memory freed........: 6039027 bytes
+~~ total memory allocated....: 6039023 bytes
+~~ total memory freed........: 6039023 bytes
 ~~ total allocations/frees...: 121534/121534
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 1740 chars
-~~ json string avg len.......: 1057 chars
+~~ json string max len.......: 1738 chars
+~~ json string avg len.......: 1056 chars
diff --git a/test/results/443-safari.pcap.out b/test/results/443-safari.pcap.out
index 4bd980454..c2508ab65 100644
--- a/test/results/443-safari.pcap.out
+++ b/test/results/443-safari.pcap.out
@@ -7,7 +7,7 @@
 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359639845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581109359641072,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01150{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359683686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581109359683686,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01352{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359683783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581109359683783,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}}
-01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360694080,"flow_dst_last_pkt_time":1581109360694172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":9828,"midstream":0,"thread_ts_usec":1581109360694172,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":70482.6,"max":695650,"stddev":174729.3,"var":30530334720.0,"ent":2.6,"data": [38199,38303,1123,39767,4074,97,2,42774,4,225660,264285,31,38670,4,1586,32,19,43,88,40010,28,9938,48247,695603,124,695650,120,128,123,103,125,0]},"pktlen": {"min":66,"avg":398.7,"max":1506,"stddev":559.6,"var":313139.8,"ent":3.9,"data": [78,74,66,299,66,1506,1506,168,66,66,151,109,115,66,66,111,108,100,394,96,66,66,96,66,1506,1506,66,1506,66,1030,66,1506]},"bins": {"c_to_s": [11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
+01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360694080,"flow_dst_last_pkt_time":1581109360694172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":9828,"midstream":0,"thread_ts_usec":1581109360694172,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":70482.6,"max":695650,"stddev":174729.3,"var":30530334720.0,"ent":2.6,"data": [38199,38303,1123,39767,4074,97,2,42774,4,225660,264285,31,38670,4,1586,32,19,43,88,40010,28,9938,48247,695603,124,695650,120,128,123,103,125]},"pktlen": {"min":66,"avg":398.7,"max":1506,"stddev":559.6,"var":313139.8,"ent":3.9,"data": [78,74,66,299,66,1506,1506,168,66,66,151,109,115,66,66,111,108,100,394,96,66,66,96,66,1506,1506,66,1506,66,1030,66,1506]},"bins": {"c_to_s": [11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":20,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360696066,"flow_dst_last_pkt_time":1581109360695416,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":16406,"midstream":0,"thread_ts_usec":1581109360696066,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","packets-captured":41,"packets-processed":41,"total-skipped-flows":0,"total-l4-payload-len":17203,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581109360696066}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -18,10 +18,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043828 bytes
-~~ total memory freed........: 6043828 bytes
+~~ total memory allocated....: 6043824 bytes
+~~ total memory freed........: 6043824 bytes
 ~~ total allocations/frees...: 121535/121535
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
-~~ json string max len.......: 1707 chars
+~~ json string max len.......: 1705 chars
 ~~ json string avg len.......: 1068 chars
diff --git a/test/results/4in6tunnel.pcap.out b/test/results/4in6tunnel.pcap.out
index aff23ee1d..76012c966 100644
--- a/test/results/4in6tunnel.pcap.out
+++ b/test/results/4in6tunnel.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035761 bytes
-~~ total memory freed........: 6035761 bytes
+~~ total memory allocated....: 6035757 bytes
+~~ total memory freed........: 6035757 bytes
 ~~ total allocations/frees...: 121491/121491
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/6in4tunnel.pcap.out b/test/results/6in4tunnel.pcap.out
index 52ff19fbf..67bff0c25 100644
--- a/test/results/6in4tunnel.pcap.out
+++ b/test/results/6in4tunnel.pcap.out
@@ -4,7 +4,7 @@
 00628{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1444236893450580,"flow_dst_last_pkt_time":1444236893450580,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1444236893450580,"pkt":"ACKQ3jvZAAAkzoE0CABFAAB8tYFAAP8pFzeuA0kYuGn\/GmAAAAAAQDo\/IAEEcB8XAT8+lw7\/\/nNN7CYEqIAAAQAgAAAAAAIksAGAAOC9XY8BWl1OFVYAAAAAqN0GAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"}
 00627{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1444236893450580,"flow_dst_last_pkt_time":1444236893555356,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1444236893555356,"pkt":"AAAkzoE0ACKQ3jvZCABFAAB8xlZAAPgpDWK4af8argNJGGAAAAAAQDo3JgSogAABACAAAAAAAiSwASABBHAfFwE\/PpcO\/\/5zTeyBAN+9XY8BWl1OFVYAAAAAqN0GAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"}
 00711{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1444236894230722,"flow_dst_last_pkt_time":1444236893555356,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":200,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":200,"pkt_l4_len":166,"thread_ts_usec":1444236894230722,"pkt":"ACKQ3jvZAAAkzoE0CABFAAC6tdFAAP8pFqmuA0kYuGn\/GmAAAAAAfjpAIAEEcB8WAT8AAAAAAAAAAiYEqIAAAQAgAAAAAAIksAEBA9KAAAAAAGAAAAAATgY2JgSogAABACAAAAAAAiSwASABBHAfFwE\/JaMykhb5LOAD4exLUvt9fRlwFpiAGABJEPkAAAEBCAq0MT0ACHX6xhcDAwApoxPniAjxmmXGKxqxVV6nOvla9FPS7Dtl2rRDlmVhpOKK9OFyB\/XihP8="}
-01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":494998.2,"max":1005120,"stddev":454962.0,"var":206990442496.0,"ent":4.2,"data": [104776,780142,221063,1000457,1001744,1001146,1001712,1005120,1001052,1000771,1001064,1001072,1001370,999940,1001888,1003131,365420,1118,348987,4072,96728,99146,95730,758,97863,1021,105,98080,140,8789,539,0]},"pktlen": {"min":106,"avg":250.4,"max":1911,"stddev":383.0,"var":146712.7,"ent":4.2,"data": [138,138,200,138,138,138,138,138,138,138,138,138,138,138,138,138,138,133,133,273,261,114,114,106,310,106,1504,1911,106,106,268,159]},"bins": {"c_to_s": [0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0]}}
+01600{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":494998.2,"max":1005120,"stddev":454962.0,"var":206990442496.0,"ent":4.2,"data": [104776,780142,221063,1000457,1001744,1001146,1001712,1005120,1001052,1000771,1001064,1001072,1001370,999940,1001888,1003131,365420,1118,348987,4072,96728,99146,95730,758,97863,1021,105,98080,140,8789,539]},"pktlen": {"min":106,"avg":250.4,"max":1911,"stddev":383.0,"var":146712.7,"ent":4.2,"data": [138,138,200,138,138,138,138,138,138,138,138,138,138,138,138,138,138,133,133,273,261,114,114,106,310,106,1504,1911,106,106,268,159]},"bins": {"c_to_s": [0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0]}}
 00779{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00818{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":66,"flow_dst_packets_processed":61,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236915478638,"flow_dst_last_pkt_time":1444236915586195,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1470,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":11600,"flow_dst_tot_l4_payload_len":24375,"midstream":0,"thread_ts_usec":1444236915586195,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":127,"source":"6in4tunnel.pcap","alias":"nDPId-test","packets-captured":127,"packets-processed":127,"total-skipped-flows":0,"total-l4-payload-len":35975,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1444236915586195}
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039328 bytes
-~~ total memory freed........: 6039328 bytes
+~~ total memory allocated....: 6039324 bytes
+~~ total memory freed........: 6039324 bytes
 ~~ total allocations/frees...: 121614/121614
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
-~~ json string max len.......: 1607 chars
-~~ json string avg len.......: 1022 chars
+~~ json string max len.......: 1605 chars
+~~ json string avg len.......: 1021 chars
diff --git a/test/results/6in6tunnel.pcap.out b/test/results/6in6tunnel.pcap.out
index 0cd50626f..a8c1c0eac 100644
--- a/test/results/6in6tunnel.pcap.out
+++ b/test/results/6in6tunnel.pcap.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037331 bytes
-~~ total memory freed........: 6037331 bytes
+~~ total memory allocated....: 6037323 bytes
+~~ total memory freed........: 6037323 bytes
 ~~ total allocations/frees...: 121499/121499
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/BGP_Cisco_hdlc_slarp.pcap.out b/test/results/BGP_Cisco_hdlc_slarp.pcap.out
index 92bb671f1..a5cee2461 100644
--- a/test/results/BGP_Cisco_hdlc_slarp.pcap.out
+++ b/test/results/BGP_Cisco_hdlc_slarp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036051 bytes
-~~ total memory freed........: 6036051 bytes
+~~ total memory allocated....: 6036047 bytes
+~~ total memory freed........: 6036047 bytes
 ~~ total allocations/frees...: 121501/121501
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 505 chars
diff --git a/test/results/BGP_redist.pcap.out b/test/results/BGP_redist.pcap.out
index 4c9e79529..890703fa3 100644
--- a/test/results/BGP_redist.pcap.out
+++ b/test/results/BGP_redist.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 195 chars
diff --git a/test/results/EAQ.pcap.out b/test/results/EAQ.pcap.out
index 2f9c15d8c..946ee8165 100644
--- a/test/results/EAQ.pcap.out
+++ b/test/results/EAQ.pcap.out
@@ -224,8 +224,8 @@
 ~~ total active/idle flows...: 31/31
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6090395 bytes
-~~ total memory freed........: 6090395 bytes
+~~ total memory allocated....: 6090271 bytes
+~~ total memory freed........: 6090271 bytes
 ~~ total allocations/frees...: 121995/121995
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
index 428e43136..76fc0fe75 100644
--- a/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
+++ b/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
@@ -20,15 +20,15 @@
 00912{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1228468958657176,"flow_dst_last_pkt_time":1228468958718407,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":339,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":339,"pkt_l4_len":305,"thread_ts_usec":1228468958718407,"pkt":"AAglAXLkABZGR+C\/CABFuAFFHeUAAD0RBJ7AqGTbioSpZRPEE8QBMRfZU0lQLzIuMCAxMDAgVHJ5aW5nDQpDYWxsLUlEOiBTRDQ5MDk3MDEtOWZmMTFiZjcyZWI0YTM0N2M5Mjk3NGQ4ZmJiYzI2NjgtYW84bzNpMQ0KQ29udGVudC1MZW5ndGg6IDANCkNTZXE6IDEgSU5WSVRFDQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9U0Q0OTA5NzAxLTAwZTlkNDc4DQpUbzogPHNpcDowNjE5NjMxNzdAaXRhbHRlbC5pdDt1c2VyPXBob25lPg0KVmlhOiBTSVAvMi4wL1VEUCAxMzguMTMyLjE2OS4xMDE6NTA2MDticmFuY2g9ejloRzRiS2Z2MmY0MDEwNzg3aDNhOHExMjgwLjENCg0K"}
 01088{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1228468958657176,"flow_dst_last_pkt_time":1228468958819466,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":469,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":469,"pkt_l4_len":435,"thread_ts_usec":1228468958819466,"pkt":"AAglAXLkABZGR+C\/CABFuAHHHeYAAD0RBBvAqGTbioSpZRPEE8QBs3VMU0lQLzIuMCAxODAgUmluZ2luZw0KQ2FsbC1JRDogU0Q0OTA5NzAxLTlmZjExYmY3MmViNGEzNDdjOTI5NzRkOGZiYmMyNjY4LWFvOG8zaTENCkNvbnRhY3Q6IDxzaXA6MDYxOTYzMTc3QDE5Mi4xNjguMTAwLjIxOTo1MDYwPg0KQ29udGVudC1MZW5ndGg6IDANCkNTZXE6IDEgSU5WSVRFDQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9U0Q0OTA5NzAxLTAwZTlkNDc4DQpTZXJ2ZXI6IEFyY29yL0FyY29yLTEuMDIuMDA1dDINClRvOiA8c2lwOjA2MTk2MzE3N0BpdGFsdGVsLml0O3VzZXI9cGhvbmU+O3RhZz02MTcyNjM2MTY0Nzk2MTZFLTMzMTcxNTUyMC01MzM2Zjc4NS0xODc0MTAyMDUNClZpYTogU0lQLzIuMC9VRFAgMTM4LjEzMi4xNjkuMTAxOjUwNjA7YnJhbmNoPXo5aEc0YktmdjJmNDAxMDc4N2gzYThxMTI4MC4xDQoNCg=="}
 01111{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1228468958651179,"flow_dst_last_pkt_time":1228468958820487,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":488,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":488,"pkt_l4_len":454,"thread_ts_usec":1228468958820487,"pkt":"ABEKVkXQAAglAXLqCABFAAHaAABAAIARbCEKIzxkCiM8SBPEE8QBxvK8U0lQLzIuMCAxODAgUmluZ2luZw0KVmlhOiBTSVAvMi4wL1VEUCAxMC4zNS42MC43Mjo1MDYwO2JyYW5jaD16OWhHNGJLLmlJaUlpSS4wYTIzMjgxOS5lOWQ0YmQNClRvOiA8c2lwOjA2MTk2MzE3N0BpdGFsdGVsLml0O3VzZXI9cGhvbmU+O3RhZz1TRDQ5MDk3OTktNjE3MjYzNjE2NDc5NjE2RS0zMzE3MTU1MjAtNTMzNmY3ODUtMTg3NDEwMjA1DQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9MDBlOWQ0NzgNCkNhbGwtSUQ6IDAwZTlkNGE1MDBlOWQ0OC0wMDE1LTAwMDEtMDAwMC0wMDAwQDEwLjM1LjQwLjI1DQpDU2VxOiAxIElOVklURQ0KQ29udGFjdDogPHNpcDowNjE5NjMxNzctaWtodXVlcDViaTEyM0AxMC4zNS42MC4xMDA6NTA2MDt0cmFuc3BvcnQ9dWRwPg0KQ29udGVudC1MZW5ndGg6IDANClNlcnZlcjogQXJjb3IvQXJjb3ItMS4wMi4wMDV0Mg0KDQo="}
-01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468963851351,"flow_dst_last_pkt_time":1228468963854227,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":372,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":3039,"midstream":0,"thread_ts_usec":1228468963854227,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1691733.2,"max":4370196,"stddev":2031243.2,"var":4125948903424.0,"ent":3.7,"data": [147,2580,146,4369720,177,4369379,142,4370170,85,4370186,150,4369866,79,4370149,291,4370036,88,4369436,150,3508424,3524296,204367,192966,657514,15,652477,151,4369658,82,4370196,609,0]},"pktlen": {"min":87,"avg":168.8,"max":414,"stddev":98.9,"var":9786.3,"ent":4.8,"data": [87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,376,414,94,101,88,88,293,165,88,88,293,165]},"bins": {"c_to_s": [0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01748{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468963851351,"flow_dst_last_pkt_time":1228468963854227,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":372,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":3039,"midstream":0,"thread_ts_usec":1228468963854227,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1691733.2,"max":4370196,"stddev":2031243.2,"var":4125948903424.0,"ent":3.7,"data": [147,2580,146,4369720,177,4369379,142,4370170,85,4370186,150,4369866,79,4370149,291,4370036,88,4369436,150,3508424,3524296,204367,192966,657514,15,652477,151,4369658,82,4370196,609]},"pktlen": {"min":87,"avg":168.8,"max":414,"stddev":98.9,"var":9786.3,"ent":4.8,"data": [87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,376,414,94,101,88,88,293,165,88,88,293,165]},"bins": {"c_to_s": [0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00778{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468965434208,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965434208,"pkt":"ABgYesP\/AAglAXLqCABFuADIHecAAD0RDLUKIzxkChcBNDzcQXQAtEC7gAgAAGfPFaAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="}
 00880{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468965434208,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1228468965455031,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965455031,"pkt":"ABgYesP\/AAglAXLqCABFuADIHegAAD0RDLQKIzxkChcBNDzcQXQAtEAagAgAAWfPFkAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="}
 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1228468965474173,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965474173,"pkt":"ABgYesP\/AAglAXLqCABFuADIHekAAD0RDLMKIzxkChcBNDzcQXQAtD95gAgAAmfPFuAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="}
-01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":90,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468966054624,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468966054624,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1438,"avg":20013.4,"max":39530,"stddev":4863.7,"var":23655656.0,"ent":4.9,"data": [20823,19142,39530,1438,19970,20000,19294,20526,19616,19873,20995,20283,18519,20415,19722,19948,20367,20228,19700,20355,19296,20527,20111,20020,19630,19979,19869,20276,20190,19810,19964,0]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":90,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468966054624,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468966054624,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1438,"avg":20013.4,"max":39530,"stddev":4863.7,"var":23655656.0,"ent":4.9,"data": [20823,19142,39530,1438,19970,20000,19294,20526,19616,19873,20995,20283,18519,20415,19722,19948,20367,20228,19700,20355,19296,20527,20111,20020,19630,19979,19869,20276,20190,19810,19964]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
 00931{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2026,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":29,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468981331384,"flow_dst_last_pkt_time":1228468981333255,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":541,"flow_dst_max_l4_payload_len":515,"flow_src_tot_l4_payload_len":2694,"flow_dst_tot_l4_payload_len":5839,"midstream":0,"thread_ts_usec":1228468983833618,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3128,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002203721,"flow_dst_last_pkt_time":1228469002181512,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":9868,"flow_dst_tot_l4_payload_len":8158,"midstream":0,"thread_ts_usec":1228469002203721,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":263,"avg":2809077.0,"max":27628387,"stddev":6895590.0,"var":47549159309312.0,"ent":2.5,"data": [1429,5975,263,162733,421,6673080,696,6843298,378,2041486,761,2040704,344,12449,653,131771,424,27628387,388,27585469,481,6913792,703,6841323,326,83992,388,88136,409,19767,961,0]},"pktlen": {"min":304,"avg":605.3,"max":923,"stddev":211.9,"var":44888.2,"ent":4.9,"data": [919,919,304,304,488,488,825,825,452,452,894,894,425,425,793,793,493,493,460,460,572,572,846,846,364,364,475,475,452,452,923,923]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3128,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002203721,"flow_dst_last_pkt_time":1228469002181512,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":9868,"flow_dst_tot_l4_payload_len":8158,"midstream":0,"thread_ts_usec":1228469002203721,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":263,"avg":2809077.0,"max":27628387,"stddev":6895590.0,"var":47549159309312.0,"ent":2.5,"data": [1429,5975,263,162733,421,6673080,696,6843298,378,2041486,761,2040704,344,12449,653,131771,424,27628387,388,27585469,481,6913792,703,6841323,326,83992,388,88136,409,19767,961]},"pktlen": {"min":304,"avg":605.3,"max":923,"stddev":211.9,"var":44888.2,"ent":4.9,"data": [919,919,304,304,488,488,825,825,452,452,894,894,425,425,793,793,493,493,460,460,572,572,846,846,364,364,475,475,452,452,923,923]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3304,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1228468958657176,"flow_src_last_pkt_time":1228469002345812,"flow_dst_last_pkt_time":1228469002339397,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":338,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":884,"flow_dst_max_l4_payload_len":833,"flow_src_tot_l4_payload_len":5213,"flow_dst_tot_l4_payload_len":5205,"midstream":0,"thread_ts_usec":1228469003871960,"l3_proto":"ip4","src_ip":"138.132.169.101","dst_ip":"192.168.100.219","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3304,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1228468958651179,"flow_src_last_pkt_time":1228469002344280,"flow_dst_last_pkt_time":1228469002341564,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":5330,"flow_dst_tot_l4_payload_len":5170,"midstream":0,"thread_ts_usec":1228469003871960,"l3_proto":"ip4","src_ip":"10.35.60.72","dst_ip":"10.35.60.100","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00933{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3304,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":20,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002344653,"flow_dst_last_pkt_time":1228469002342941,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":10660,"flow_dst_tot_l4_payload_len":10340,"midstream":0,"thread_ts_usec":1228469003871960,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -48,10 +48,10 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6251450 bytes
-~~ total memory freed........: 6251450 bytes
+~~ total memory allocated....: 6251430 bytes
+~~ total memory freed........: 6251430 bytes
 ~~ total allocations/frees...: 128744/128744
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 513 chars
-~~ json string max len.......: 1771 chars
-~~ json string avg len.......: 1141 chars
+~~ json string max len.......: 1769 chars
+~~ json string avg len.......: 1140 chars
diff --git a/test/results/IEC104.pcap.out b/test/results/IEC104.pcap.out
index f1c54360a..bf2a83cdd 100644
--- a/test/results/IEC104.pcap.out
+++ b/test/results/IEC104.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037708 bytes
-~~ total memory freed........: 6037708 bytes
+~~ total memory allocated....: 6037700 bytes
+~~ total memory freed........: 6037700 bytes
 ~~ total allocations/frees...: 121512/121512
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/KakaoTalk_chat.pcap.out b/test/results/KakaoTalk_chat.pcap.out
index dbc07a3e3..6bd3faf34 100644
--- a/test/results/KakaoTalk_chat.pcap.out
+++ b/test/results/KakaoTalk_chat.pcap.out
@@ -151,7 +151,7 @@
 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069031611243,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069031611243,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":113,"pkt_l4_len":77,"thread_ts_usec":1430069031611243,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAGHTnUAAQAbVXgoYUrw2\/\/3H5i8UZ+uf0VkGiXPCgBgCYxkQAAABAQgKAAKTKDTnT0kXAwEAKNOo\/lFrrxEtj1oyrBEybZXAvF7754xqLjvuYfV0gCpDpumAA3\/lW60="}
 01016{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069031611243,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069031611243,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01875{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069031042945,"flow_src_last_pkt_time":1430069031534339,"flow_dst_last_pkt_time":1430069031721991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":997,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":2489,"flow_dst_tot_l4_payload_len":4397,"midstream":0,"thread_ts_usec":1430069031721991,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":92,"avg":37756.1,"max":174316,"stddev":43491.6,"var":1891518208.0,"ent":4.0,"data": [36956,40344,305,47699,3998,72083,702,123993,153,15869,671,16632,152,12207,67230,35950,15778,732,105866,38147,60424,4517,92,3936,174316,67658,16785,16968,108490,672,81115,0]},"pktlen": {"min":56,"avg":272.1,"max":1336,"stddev":386.9,"var":149674.2,"ent":3.9,"data": [76,60,56,621,60,56,1336,174,56,56,1336,949,56,56,1053,56,314,113,101,56,56,109,846,103,93,101,56,477,56,56,56,56]},"bins": {"c_to_s": [10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01873{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069031042945,"flow_src_last_pkt_time":1430069031534339,"flow_dst_last_pkt_time":1430069031721991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":997,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":2489,"flow_dst_tot_l4_payload_len":4397,"midstream":0,"thread_ts_usec":1430069031721991,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":92,"avg":37756.1,"max":174316,"stddev":43491.6,"var":1891518208.0,"ent":4.0,"data": [36956,40344,305,47699,3998,72083,702,123993,153,15869,671,16632,152,12207,67230,35950,15778,732,105866,38147,60424,4517,92,3936,174316,67658,16785,16968,108490,672,81115]},"pktlen": {"min":56,"avg":272.1,"max":1336,"stddev":386.9,"var":149674.2,"ent":3.9,"data": [76,60,56,621,60,56,1336,174,56,56,1336,949,56,56,1053,56,314,113,101,56,56,109,846,103,93,101,56,477,56,56,56,56]},"bins": {"c_to_s": [10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069035398200,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035398200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069035398200,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":42332,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035398200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069035398200,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAChV8UAAQAbFkwoYUrzSZ\/APpVwBu+YrTKNirTiWUBFpAB9mAAA="}
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035537940,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069035537940,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACgkaUAAjgapG9Jn8A8KGFK8AbulXGKtOJbmK0ykUBCkj3bOAAA="}
@@ -165,7 +165,7 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1430069035967627,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1430069036008002,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACxGQkAA+AZ8VB8NRFQKGFK8AbuwnWIYU8F1uP30YBIRHOshAAACBAV4"}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":221,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1430069036010596,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069036010596,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACjw1kAAPwaKxAoYUrwfDURUsJ0Bu3W4\/fRiGFPCUBA5CNq2AAA="}
 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":222,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1430069035967627,"flow_src_last_pkt_time":1430069036012946,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036012946,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
-01626{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3723,"avg":501416.6,"max":3802978,"stddev":831986.8,"var":692202045440.0,"ent":3.7,"data": [995911,1037903,49316,6684,695526,683563,56000,2329864,2320373,251618,299011,4547,4395,4089,3723,105469,239411,242157,376495,82611,125763,244537,287323,18128,164581,238983,428131,146027,274079,3802978,24719,0]},"pktlen": {"min":56,"avg":225.0,"max":1336,"stddev":352.3,"var":124085.1,"ent":3.9,"data": [76,76,60,56,240,60,56,60,240,56,1336,56,1336,56,1043,56,178,56,103,56,710,56,85,56,358,56,99,56,196,56,83,132]},"bins": {"c_to_s": [11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0]}}
+01624{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3723,"avg":501416.6,"max":3802978,"stddev":831986.8,"var":692202045440.0,"ent":3.7,"data": [995911,1037903,49316,6684,695526,683563,56000,2329864,2320373,251618,299011,4547,4395,4089,3723,105469,239411,242157,376495,82611,125763,244537,287323,18128,164581,238983,428131,146027,274079,3802978,24719]},"pktlen": {"min":56,"avg":225.0,"max":1336,"stddev":352.3,"var":124085.1,"ent":3.9,"data": [76,76,60,56,240,60,56,60,240,56,1336,56,1336,56,1043,56,178,56,103,56,710,56,85,56,358,56,99,56,196,56,83,132]},"bins": {"c_to_s": [11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0]}}
 02004{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":228,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036068122,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1430069036068122,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwqSkAAPwalnwoYUryt\/GECircBu1PEJ3oAAAAAoAI5CI51AAACBAV4BAIICgALDTAAAAAAAQMDBw=="}
@@ -187,7 +187,7 @@
 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069060011328,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069060011328,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":83,"pkt_l4_len":47,"thread_ts_usec":1430069060011328,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAENCkUAAQAbmZgoYUrzYOtyuwEEBuxTXAEVlWZivUBiMAAFrAAAVAwEAFnnuS9reX0mqADPiihp3NglZFsDnKQA="}
 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069060011328,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069060011328,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01901{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069064769263,"flow_dst_last_pkt_time":1430069064804816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1362,"flow_dst_tot_l4_payload_len":3690,"midstream":0,"thread_ts_usec":1430069064804816,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":1852833.4,"max":27030701,"stddev":6601250.5,"var":43576507498496.0,"ent":1.5,"data": [41748,45806,2228,39459,11261,448395,183,2868,498749,183,122,36927,124176,229920,321990,23011,161804,229858,405273,183,57404,108246,75989,156006,245086,67993,69489,26937805,56885,27030701,8087,0]},"pktlen": {"min":56,"avg":214.8,"max":1336,"stddev":348.1,"var":121165.0,"ent":3.9,"data": [76,60,56,240,60,56,1336,1336,1043,56,56,56,178,56,103,56,578,56,85,56,215,328,56,56,94,56,85,56,83,132,56,56]},"bins": {"c_to_s": [10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01899{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069064769263,"flow_dst_last_pkt_time":1430069064804816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1362,"flow_dst_tot_l4_payload_len":3690,"midstream":0,"thread_ts_usec":1430069064804816,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":1852833.4,"max":27030701,"stddev":6601250.5,"var":43576507498496.0,"ent":1.5,"data": [41748,45806,2228,39459,11261,448395,183,2868,498749,183,122,36927,124176,229920,321990,23011,161804,229858,405273,183,57404,108246,75989,156006,245086,67993,69489,26937805,56885,27030701,8087]},"pktlen": {"min":56,"avg":214.8,"max":1336,"stddev":348.1,"var":121165.0,"ent":3.9,"data": [76,60,56,240,60,56,1336,1336,1043,56,56,56,178,56,103,56,578,56,85,56,215,328,56,56,94,56,85,56,83,132,56,56]},"bins": {"c_to_s": [10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00884{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":334,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069030119696,"flow_src_last_pkt_time":1430069030119696,"flow_dst_last_pkt_time":1430069030119696,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":111,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":111,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":111,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069065046729,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","l4_proto":"icmp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":341,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1430069072945990,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1430069072945990,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADTTnkAAQAbVigoYUrw2\/\/3H5i8UZ+uf0YYGiXPCgBQCY5HBAAABAQgKAAKjTTTnT0k="}
 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":342,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069072986762,"flow_src_last_pkt_time":1430069072986762,"flow_dst_last_pkt_time":1430069072986762,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069072986762,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58964,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
@@ -247,8 +247,8 @@
 ~~ total active/idle flows...: 38/38
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6234167 bytes
-~~ total memory freed........: 6234167 bytes
+~~ total memory allocated....: 6234015 bytes
+~~ total memory freed........: 6234015 bytes
 ~~ total allocations/frees...: 122431/122431
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/KakaoTalk_talk.pcap.out b/test/results/KakaoTalk_talk.pcap.out
index 2488ae5b9..cb7ac4d5e 100644
--- a/test/results/KakaoTalk_talk.pcap.out
+++ b/test/results/KakaoTalk_talk.pcap.out
@@ -59,8 +59,8 @@
 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1430069171998328,"flow_dst_last_pkt_time":1430069171127448,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069171998328,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAH4AAEAAPxHbJAoYUrwByQGuLDlaBQBqX6qByAAMC4ZVGUMDyNdZMqzZvFL5masXDZVA6JQCTSwYzII6r0J+H6ebHDpiG6\/AGpupgF2zzgl2ppSiLVPnYiD98U8UjOQ2fRfyw\/ugiovyQFT+lfaAAAACkQQ8eHVaWMSL\/A=="}
 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1430069172038153,"flow_dst_last_pkt_time":1430069170975714,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069172038153,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAH4AAEAAQBHaJAoYUrwByQGuKB1aBwBqXmKByAAMVJql2trT+4JMtrXIu\/DNYLUyrcCH4nJIkwVlTlKbwLjRHdwKTf1t+cEG2dNtu5tj5fpNWxpJ1GyPSnYq1Tkhei6L7QH9KpD9dMR2BEbVSkSAAAACiCDm5WucO1eQLg=="}
 00644{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":141,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1430069172038153,"flow_dst_last_pkt_time":1430069172127570,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069172127570,"pkt":"AAACEgAAAAAAAAAAAAAIAEUoAH4AAEAAGhH\/\/AHJAa4KGFK8WgcoHQBqY8SByAAMC4ZVGUMDyNdZMqzZvFL5masXDZVA6JQCTSwYzII6r0J+H6ebHDpiG6\/AGpupgF2zzgl2ppSiLVPnYiD98U8UjOQ2fRfyw\/ugiovyQFT+lfaAAAACkQQ8eHVaWMSL\/A=="}
-01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":145,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1430069171118750,"flow_src_last_pkt_time":1430069172108954,"flow_dst_last_pkt_time":1430069172193000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":56,"flow_dst_max_l4_payload_len":148,"flow_src_tot_l4_payload_len":1101,"flow_dst_tot_l4_payload_len":793,"midstream":0,"thread_ts_usec":1430069172193000,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":66595.3,"max":389008,"stddev":72818.7,"var":5302568960.0,"ent":4.2,"data": [2106,92,91278,244,98327,122,103547,389008,99365,152,41687,34149,94086,1190,99945,98542,31952,72327,100128,1037,27862,87799,99732,30,76142,16052,99243,84228,99884,1099,113099,0]},"pktlen": {"min":99,"avg":103.2,"max":192,"stddev":16.7,"var":278.8,"ent":5.0,"data": [100,99,99,99,99,99,99,99,123,99,99,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99]},"bins": {"c_to_s": [0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
-01727{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069171389136,"flow_src_last_pkt_time":1430069172366187,"flow_dst_last_pkt_time":1430069172379615,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":770,"midstream":0,"thread_ts_usec":1430069172379615,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4181,"avg":63468.7,"max":143921,"stddev":37951.6,"var":1440325376.0,"ent":4.7,"data": [36072,39245,140350,102021,35217,98114,7904,55847,41962,93445,6775,89905,91767,48217,40192,100067,12024,81512,89386,6988,84107,40741,87677,54901,38818,107880,4181,87555,68482,32257,143921,0]},"pktlen": {"min":99,"avg":106.6,"max":192,"stddev":20.8,"var":434.5,"ent":5.0,"data": [123,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,166,141,99]},"bins": {"c_to_s": [0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":145,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1430069171118750,"flow_src_last_pkt_time":1430069172108954,"flow_dst_last_pkt_time":1430069172193000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":56,"flow_dst_max_l4_payload_len":148,"flow_src_tot_l4_payload_len":1101,"flow_dst_tot_l4_payload_len":793,"midstream":0,"thread_ts_usec":1430069172193000,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":66595.3,"max":389008,"stddev":72818.7,"var":5302568960.0,"ent":4.2,"data": [2106,92,91278,244,98327,122,103547,389008,99365,152,41687,34149,94086,1190,99945,98542,31952,72327,100128,1037,27862,87799,99732,30,76142,16052,99243,84228,99884,1099,113099]},"pktlen": {"min":99,"avg":103.2,"max":192,"stddev":16.7,"var":278.8,"ent":5.0,"data": [100,99,99,99,99,99,99,99,123,99,99,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99]},"bins": {"c_to_s": [0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069171389136,"flow_src_last_pkt_time":1430069172366187,"flow_dst_last_pkt_time":1430069172379615,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":770,"midstream":0,"thread_ts_usec":1430069172379615,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4181,"avg":63468.7,"max":143921,"stddev":37951.6,"var":1440325376.0,"ent":4.7,"data": [36072,39245,140350,102021,35217,98114,7904,55847,41962,93445,6775,89905,91767,48217,40192,100067,12024,81512,89386,6988,84107,40741,87677,54901,38818,107880,4181,87555,68482,32257,143921]},"pktlen": {"min":99,"avg":106.6,"max":192,"stddev":20.8,"var":434.5,"ent":5.0,"data": [123,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,166,141,99]},"bins": {"c_to_s": [0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069180329901,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069180329901,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":83,"pkt_l4_len":47,"thread_ts_usec":1430069180329901,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAENCkkAAQAbmZQoYUrzYOtyuwEEBuxTXAEVlWZivUBiMAAFrAAAVAwEAFnnuS9reX0mqADPiihp3NglZFsDnKQA="}
 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069180329901,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069180329901,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
@@ -68,9 +68,9 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1470,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1430069193291327,"flow_dst_last_pkt_time":1430069193291327,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069193291327,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACg66EAAjgYtFq38egEKGFK8AbvLm\/Ii35zxwsMTUBSkcjKfAAA="}
 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2099,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069201833106,"flow_src_last_pkt_time":1430069201833106,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069201833106,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.151.233","src_port":53974,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2099,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1430069201833106,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069201833106,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOw0AAQAYrdAoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtk1IAAABAQgKAALVpswmIb5QFA=="}
-02245{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2117,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069163715308,"flow_src_last_pkt_time":1430069202114386,"flow_dst_last_pkt_time":1430069181143378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":746,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2452,"flow_dst_tot_l4_payload_len":3072,"midstream":0,"thread_ts_usec":1430069202114386,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2289,"avg":1800875.8,"max":20336762,"stddev":4155046.5,"var":17264411672576.0,"ent":2.9,"data": [141571,151855,11750,244934,5676,231720,5279,268921,267944,260468,295685,6066894,6069489,2289,183686,177368,76049,36560,148072,8359650,8675995,4516,469818,147369,147094,2564,694885,724152,479767,20336762,1138366,0]},"pktlen": {"min":68,"avg":241.5,"max":920,"stddev":230.0,"var":52885.8,"ent":4.5,"data": [76,76,68,210,68,920,68,394,302,814,574,68,782,68,238,366,68,68,238,68,254,68,238,68,366,68,238,238,68,80,254,254]},"bins": {"c_to_s": [8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+02243{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2117,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069163715308,"flow_src_last_pkt_time":1430069202114386,"flow_dst_last_pkt_time":1430069181143378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":746,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2452,"flow_dst_tot_l4_payload_len":3072,"midstream":0,"thread_ts_usec":1430069202114386,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2289,"avg":1800875.8,"max":20336762,"stddev":4155046.5,"var":17264411672576.0,"ent":2.9,"data": [141571,151855,11750,244934,5676,231720,5279,268921,267944,260468,295685,6066894,6069489,2289,183686,177368,76049,36560,148072,8359650,8675995,4516,469818,147369,147094,2564,694885,724152,479767,20336762,1138366]},"pktlen": {"min":68,"avg":241.5,"max":920,"stddev":230.0,"var":52885.8,"ent":4.5,"data": [76,76,68,210,68,920,68,394,302,814,574,68,782,68,238,366,68,68,238,68,254,68,238,68,366,68,238,238,68,80,254,254]},"bins": {"c_to_s": [8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2182,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1430069202570380,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069202570380,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOxEAAQAYrcwoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtkz+AAABAQgKAALV8MwmIb5QFA=="}
-02247{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2227,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069164966834,"flow_src_last_pkt_time":1430069202329230,"flow_dst_last_pkt_time":1430069203383368,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":794,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2842,"flow_dst_tot_l4_payload_len":3488,"midstream":0,"thread_ts_usec":1430069203383368,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":183,"avg":2444481.5,"max":21237091,"stddev":5342425.0,"var":28541506813952.0,"ent":2.9,"data": [148041,148315,14374,196289,3692,185608,22217,228394,215698,291656,316833,4536377,4872620,301514,147949,147858,122284,336243,8596588,8810699,73731,557586,700867,602508,20472016,917846,21237091,519257,336,183,1054260,0]},"pktlen": {"min":68,"avg":267.1,"max":920,"stddev":266.4,"var":70953.5,"ent":4.4,"data": [76,76,68,210,68,920,68,394,302,766,734,68,862,846,68,366,68,238,68,366,68,238,238,68,80,254,254,430,68,68,68,80]},"bins": {"c_to_s": [9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+02245{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2227,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069164966834,"flow_src_last_pkt_time":1430069202329230,"flow_dst_last_pkt_time":1430069203383368,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":794,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2842,"flow_dst_tot_l4_payload_len":3488,"midstream":0,"thread_ts_usec":1430069203383368,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":183,"avg":2444481.5,"max":21237091,"stddev":5342425.0,"var":28541506813952.0,"ent":2.9,"data": [148041,148315,14374,196289,3692,185608,22217,228394,215698,291656,316833,4536377,4872620,301514,147949,147858,122284,336243,8596588,8810699,73731,557586,700867,602508,20472016,917846,21237091,519257,336,183,1054260]},"pktlen": {"min":68,"avg":267.1,"max":920,"stddev":266.4,"var":70953.5,"ent":4.4,"data": [76,76,68,210,68,920,68,394,302,766,734,68,862,846,68,366,68,238,68,366,68,238,238,68,80,254,254,430,68,68,68,80]},"bins": {"c_to_s": [9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2278,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1430069204049811,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069204049811,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOxUAAQAYrcgoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtkxqAAABAQgKAALWhMwmIb5QFA=="}
 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2798,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069210863623,"flow_src_last_pkt_time":1430069210863623,"flow_dst_last_pkt_time":1430069210863623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069210863623,"l3_proto":"ip4","src_ip":"173.194.117.229","dst_ip":"10.24.82.188","src_port":443,"dst_port":38380,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2798,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1430069210863623,"flow_dst_last_pkt_time":1430069210863623,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069210863623,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACih+UAAjgbKWq3CdeUKGFK8AbuV7IoFQj5TpMuVUBSklweYAAA="}
@@ -126,10 +126,10 @@
 ~~ total active/idle flows...: 20/20
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6192880 bytes
-~~ total memory freed........: 6192880 bytes
+~~ total memory allocated....: 6192800 bytes
+~~ total memory freed........: 6192800 bytes
 ~~ total allocations/frees...: 124914/124914
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
-~~ json string max len.......: 2252 chars
-~~ json string avg len.......: 1374 chars
+~~ json string max len.......: 2250 chars
+~~ json string avg len.......: 1373 chars
diff --git a/test/results/NTPv2.pcap.out b/test/results/NTPv2.pcap.out
index b54722dff..8fb287fa7 100644
--- a/test/results/NTPv2.pcap.out
+++ b/test/results/NTPv2.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/NTPv3.pcap.out b/test/results/NTPv3.pcap.out
index 0efa473e8..0d6e78fa2 100644
--- a/test/results/NTPv3.pcap.out
+++ b/test/results/NTPv3.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/NTPv4.pcap.out b/test/results/NTPv4.pcap.out
index 6d2be9100..043553bf3 100644
--- a/test/results/NTPv4.pcap.out
+++ b/test/results/NTPv4.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/Oscar.pcap.out b/test/results/Oscar.pcap.out
index 31bfe2ded..17be1bd21 100644
--- a/test/results/Oscar.pcap.out
+++ b/test/results/Oscar.pcap.out
@@ -4,7 +4,7 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1434606464176482,"flow_dst_last_pkt_time":1434606464176482,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1434606464176482,"pkt":"AAxCW5ILDE3pmjdICABFAABAZ9pAAEAGAAAKHh0Dsu0Y+fd9Abu9oGylAAAAALAC\/\/\/zOQAAAgQFtAEDAwUBAQgKFdAS4wAAAAAEAgAA"}
 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1434606464176482,"flow_dst_last_pkt_time":1434606464205135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1434606464205135,"pkt":"DE3pmjdIAAxCW5ILCABFAAAsd\/VAAG8GoM+y7Rj5Ch4dAwG7933\/L+hsvaBspmASQABaVgAAAgQFUAAA"}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1434606464205258,"flow_dst_last_pkt_time":1434606464205135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1434606464205258,"pkt":"AAxCW5ILDE3pmjdICABFAAAo27ZAAEAGAAAKHh0Dsu0Y+fd9Abu9oGym\/y\/obVAQ\/\/\/zIQAA"}
-01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":3883141.0,"max":58215154,"stddev":14267685.0,"var":203566836875264.0,"ent":1.3,"data": [28653,28776,8916,42424,33521,518,478,147,33511,33418,288,33636,843,34123,226,44565,44326,32783,32790,157,115,322,31348,31096,58175544,58215154,3,39626,1457397,1490083,502580,0]},"pktlen": {"min":54,"avg":186.5,"max":1414,"stddev":263.3,"var":69345.6,"ent":4.2,"data": [78,60,54,369,64,54,619,54,106,144,54,70,1414,351,54,80,60,166,511,54,284,54,266,60,349,90,60,92,54,92,60,90]},"bins": {"c_to_s": [11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0]}}
+01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":3883141.0,"max":58215154,"stddev":14267685.0,"var":203566836875264.0,"ent":1.3,"data": [28653,28776,8916,42424,33521,518,478,147,33511,33418,288,33636,843,34123,226,44565,44326,32783,32790,157,115,322,31348,31096,58175544,58215154,3,39626,1457397,1490083,502580]},"pktlen": {"min":54,"avg":186.5,"max":1414,"stddev":263.3,"var":69345.6,"ent":4.2,"data": [78,60,54,369,64,54,619,54,106,144,54,70,1414,351,54,80,60,166,511,54,284,54,266,60,349,90,60,92,54,92,60,90]},"bins": {"c_to_s": [11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0]}}
 00866{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":71,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":38,"flow_dst_packets_processed":33,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606536630487,"flow_dst_last_pkt_time":1434606536630387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1504,"flow_dst_tot_l4_payload_len":3946,"midstream":0,"thread_ts_usec":1434606536630487,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039752 bytes
-~~ total memory freed........: 6039752 bytes
+~~ total memory allocated....: 6039748 bytes
+~~ total memory freed........: 6039748 bytes
 ~~ total allocations/frees...: 121559/121559
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1587 chars
-~~ json string avg len.......: 1024 chars
+~~ json string max len.......: 1585 chars
+~~ json string avg len.......: 1023 chars
diff --git a/test/results/TivoDVR.pcap.out b/test/results/TivoDVR.pcap.out
index 574a16c9f..8a731c6fa 100644
--- a/test/results/TivoDVR.pcap.out
+++ b/test/results/TivoDVR.pcap.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035675 bytes
-~~ total memory freed........: 6035675 bytes
+~~ total memory allocated....: 6035671 bytes
+~~ total memory freed........: 6035671 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/WebattackRCE.pcap.out b/test/results/WebattackRCE.pcap.out
index 8af7bab58..cc17c95ab 100644
--- a/test/results/WebattackRCE.pcap.out
+++ b/test/results/WebattackRCE.pcap.out
@@ -3197,8 +3197,8 @@
 ~~ total active/idle flows...: 797/797
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7503951 bytes
-~~ total memory freed........: 7503951 bytes
+~~ total memory allocated....: 7500763 bytes
+~~ total memory freed........: 7500763 bytes
 ~~ total allocations/frees...: 134771/134771
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/WebattackSQLinj.pcap.out b/test/results/WebattackSQLinj.pcap.out
index c72caf670..75203712a 100644
--- a/test/results/WebattackSQLinj.pcap.out
+++ b/test/results/WebattackSQLinj.pcap.out
@@ -63,8 +63,8 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6054298 bytes
-~~ total memory freed........: 6054298 bytes
+~~ total memory allocated....: 6054262 bytes
+~~ total memory freed........: 6054262 bytes
 ~~ total allocations/frees...: 121726/121726
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/WebattackXSS.pcap.out b/test/results/WebattackXSS.pcap.out
index eb4a35d53..8be038ee6 100644
--- a/test/results/WebattackXSS.pcap.out
+++ b/test/results/WebattackXSS.pcap.out
@@ -34,7 +34,7 @@
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1499346957283356,"flow_dst_last_pkt_time":1499346957283502,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346957283502,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQy\/7+F1DJk3pVMKAScSDJ8AAAAgQFtAQCCAoD4q86ATjdwwEDAwc="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1499346957284023,"flow_dst_last_pkt_time":1499346957283476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346957284023,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0F6xAAD4GriysEAABwKgKMsv8AFD6Ecppc0a7\/oAQAOWsxgAAAQEICgE43cMD4q86"}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1499346957284024,"flow_dst_last_pkt_time":1499346957283502,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346957284024,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0iO1AAD4GPOusEAABwKgKMsv+AFCTelUw\/hdQyoAQAOVo+AAAAQEICgE43cMD4q86"}
-01851{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346956870305,"flow_src_last_pkt_time":1499346960890984,"flow_dst_last_pkt_time":1499346960891254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":7926,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":13653,"midstream":0,"thread_ts_usec":1499346960891254,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":259407.4,"max":2805230,"stddev":698816.2,"var":488344092672.0,"ent":2.4,"data": [124,911,4,880,1546,2266,23623,26506,34185,32207,1143,1040,156,926,221,412,39847,69861,111250,1094,61600,62698,1083,842694,846614,3833,131682,132698,1100,2804194,2805230,0]},"pktlen": {"min":66,"avg":586.0,"max":7992,"stddev":1374.1,"var":1888110.1,"ent":3.5,"data": [74,74,66,375,66,578,66,408,1198,431,807,454,1514,7992,66,66,66,66,377,571,66,407,571,66,625,429,66,423,587,66,66,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346956870305,"flow_src_last_pkt_time":1499346960890984,"flow_dst_last_pkt_time":1499346960891254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":7926,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":13653,"midstream":0,"thread_ts_usec":1499346960891254,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":259407.4,"max":2805230,"stddev":698816.2,"var":488344092672.0,"ent":2.4,"data": [124,911,4,880,1546,2266,23623,26506,34185,32207,1143,1040,156,926,221,412,39847,69861,111250,1094,61600,62698,1083,842694,846614,3833,131682,132698,1100,2804194,2805230]},"pktlen": {"min":66,"avg":586.0,"max":7992,"stddev":1374.1,"var":1888110.1,"ent":3.5,"data": [74,74,66,375,66,578,66,408,1198,431,807,454,1514,7992,66,66,66,66,377,571,66,407,571,66,625,429,66,423,587,66,66,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":100,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603214,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346976603214,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603214,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976603214,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8Un9AAD4Gc1GsEAABwKgKMsxKAFAevqLeAAAAAKACchDe8gAAAgQFtAQCCAoBOPChAAAAAAEDAwc="}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603366,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976603366,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzEoKnmxhHr6i36AScSCi1wAAAgQFtAQCCAoD4sIYATjwoQEDAwc="}
@@ -52,7 +52,7 @@
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1499346976999789,"flow_dst_last_pkt_time":1499346976999944,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976999944,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzGAmGFC+ciJO0aAScSCizgAAAgQFtAQCCAoD4sJ7ATjxBAEDAwc="}
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1499346977000540,"flow_dst_last_pkt_time":1499346976999925,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346977000540,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0Z5JAAD4GXkasEAABwKgKMsxeAFDFSpaWtwyVpoAQAOXRDgAAAQEICgE48QQD4sJ7"}
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1499346977000543,"flow_dst_last_pkt_time":1499346976999944,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346977000543,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0v9VAAD4GBgOsEAABwKgKMsxgAFByIk7RJhhQv4AQAOVB1gAAAQEICgE48QQD4sJ7"}
-01842{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346977842457,"flow_dst_last_pkt_time":1499346977841725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":4344,"flow_src_tot_l4_payload_len":2998,"flow_dst_tot_l4_payload_len":14938,"midstream":0,"thread_ts_usec":1499346977842457,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":79927.5,"max":856251,"stddev":206521.8,"var":42651250688.0,"ent":2.7,"data": [152,921,4,863,1492,2144,20680,25919,42487,6012,44423,1321,232,1259,67,51,1208,273,437,68644,70522,37847,60433,98253,1091,851698,856251,4579,109710,139259,29522,0]},"pktlen": {"min":66,"avg":627.0,"max":4410,"stddev":1050.3,"var":1103191.5,"ent":3.8,"data": [74,74,66,375,66,578,66,408,1200,66,431,807,66,454,4410,4410,752,66,66,66,377,571,66,407,571,66,625,429,66,449,1870,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01840{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346977842457,"flow_dst_last_pkt_time":1499346977841725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":4344,"flow_src_tot_l4_payload_len":2998,"flow_dst_tot_l4_payload_len":14938,"midstream":0,"thread_ts_usec":1499346977842457,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":79927.5,"max":856251,"stddev":206521.8,"var":42651250688.0,"ent":2.7,"data": [152,921,4,863,1492,2144,20680,25919,42487,6012,44423,1321,232,1259,67,51,1208,273,437,68644,70522,37847,60433,98253,1091,851698,856251,4579,109710,139259,29522]},"pktlen": {"min":66,"avg":627.0,"max":4410,"stddev":1050.3,"var":1103191.5,"ent":3.8,"data": [74,74,66,375,66,578,66,408,1200,66,431,807,66,454,4410,4410,752,66,66,66,377,571,66,407,571,66,625,429,66,449,1870,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01218{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1499346976677111,"flow_src_last_pkt_time":1499346977863501,"flow_dst_last_pkt_time":1499346976677196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":364,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":364,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346977863501,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52300,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"205.174.165.68","http": {"url":"205.174.165.68\/dv\/dvwa\/js\/dvwaPage.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:45.0) Gecko\/20100101 Firefox\/45.0","detected_os":"Linux x86_64"}}}
 01208{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1499346976999785,"flow_src_last_pkt_time":1499346977870159,"flow_dst_last_pkt_time":1499346976999925,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346977870159,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52318,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"205.174.165.68","http": {"url":"205.174.165.68\/dv\/favicon.ico","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:45.0) Gecko\/20100101 Firefox\/45.0","detected_os":"Linux x86_64"}}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":188,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499346983175773,"flow_src_last_pkt_time":1499346983175773,"flow_dst_last_pkt_time":1499346983175773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346983175773,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52386,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -192,7 +192,7 @@
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":659,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1499347042150116,"flow_dst_last_pkt_time":1499347042150116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347042150116,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8q1JAAD4GGn6sEAABwKgKMs8MAFB23Zv2AAAAAKACchBK9gAAAgQFtAQCCAoBOTCkAAAAAAEDAwc="}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":660,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1499347042150116,"flow_dst_last_pkt_time":1499347042150244,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347042150244,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzwwb3aSHdt2b96AScSCFcgAAAgQFtAQCCAoD4wIbATkwpAEDAwc="}
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":661,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1499347042150994,"flow_dst_last_pkt_time":1499347042150244,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347042150994,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0q1NAAD4GGoWsEAABwKgKMs8MAFB23Zv3G92kiIAQAOUkegAAAQEICgE5MKQD4wIb"}
-01988{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":665,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347033203906,"flow_src_last_pkt_time":1499347043160870,"flow_dst_last_pkt_time":1499347042153970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347043160870,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52910,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":609904.1,"max":3808906,"stddev":940979.2,"var":885441822720.0,"ent":3.7,"data": [97,845,3808060,3808906,3088,3867,1010444,1014181,3805,246952,250608,3613,1037920,1041646,3765,265406,269174,3736,1020088,1024520,4409,240929,244611,3693,1033112,1036761,3674,252788,256472,3667,1006191,0]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571022.8,"ent":4.2,"data": [74,74,66,651,66,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01986{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":665,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347033203906,"flow_src_last_pkt_time":1499347043160870,"flow_dst_last_pkt_time":1499347042153970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347043160870,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52910,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":609904.1,"max":3808906,"stddev":940979.2,"var":885441822720.0,"ent":3.7,"data": [97,845,3808060,3808906,3088,3867,1010444,1014181,3805,246952,250608,3613,1037920,1041646,3765,265406,269174,3736,1020088,1024520,4409,240929,244611,3693,1033112,1036761,3674,252788,256472,3667,1006191]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571022.8,"ent":4.2,"data": [74,74,66,651,66,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347043416905,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043416905,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347043416905,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53018,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043416905,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347043416905,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8okxAAD4GI4SsEAABwKgKMs8aAFDJVZOtAAAAAKACchD\/ewAAAgQFtAQCCAoBOTHhAAAAAAEDAwc="}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043417034,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347043417034,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzxosqk4zyVWTrqAScSB+QwAAAgQFtAQCCAoD4wNXATkx4QEDAwc="}
@@ -360,7 +360,7 @@
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1195,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":1,"flow_src_last_pkt_time":1499347107719375,"flow_dst_last_pkt_time":1499347107719375,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347107719375,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8GMdAAD4GrQmsEAABwKgKMtG8AFANSWhrAAAAAKACchClXQAAAgQFtAQCCAoBOXCsAAAAAAEDAwc="}
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1196,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":2,"flow_src_last_pkt_time":1499347107719375,"flow_dst_last_pkt_time":1499347107719520,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347107719520,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ0byrN2AMDUlobKAScSBU8gAAAgQFtAQCCAoD40IjATlwrAEDAwc="}
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1197,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":3,"flow_src_last_pkt_time":1499347107720082,"flow_dst_last_pkt_time":1499347107719520,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347107720082,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0GMhAAD4GrRCsEAABwKgKMtG8AFANSWhsqzdgDYAQAOXz+AAAAQEICgE5cK0D40Ij"}
-01896{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1198,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347097460010,"flow_src_last_pkt_time":1499347107720768,"flow_dst_last_pkt_time":1499347107453968,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347107720768,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53584,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":127,"avg":653377.9,"max":4898512,"stddev":1185987.6,"var":1406566662144.0,"ent":3.5,"data": [127,684,4897818,4898512,8582,9379,243178,246717,3562,1041173,1044833,3840,241167,245261,3969,1005489,1009493,3958,240995,244588,3615,1008862,1012541,3693,268328,273700,5337,1005565,1009604,4099,266047,0]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01894{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1198,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347097460010,"flow_src_last_pkt_time":1499347107720768,"flow_dst_last_pkt_time":1499347107453968,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347107720768,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53584,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":127,"avg":653377.9,"max":4898512,"stddev":1185987.6,"var":1406566662144.0,"ent":3.5,"data": [127,684,4897818,4898512,8582,9379,243178,246717,3562,1041173,1044833,3840,241167,245261,3969,1005489,1009493,3958,240995,244588,3615,1008862,1012541,3693,268328,273700,5337,1005565,1009604,4099,266047]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":6,"flow_first_seen":1499346976677111,"flow_src_last_pkt_time":1499346982914483,"flow_dst_last_pkt_time":1499346982914560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":5330,"flow_src_tot_l4_payload_len":759,"flow_dst_tot_l4_payload_len":6093,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52300,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1499346976999785,"flow_src_last_pkt_time":1499346982906448,"flow_dst_last_pkt_time":1499346982906527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1707,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":1707,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52318,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00892{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499346976999789,"flow_src_last_pkt_time":1499346982607912,"flow_dst_last_pkt_time":1499346982607149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52320,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
@@ -577,7 +577,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1708,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":1,"flow_src_last_pkt_time":1499347172098409,"flow_dst_last_pkt_time":1499347172098409,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347172098409,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8dk5AAD4GT4KsEAABwKgKMtRaAFDNItnFAAAAAKACchAyrAAAAgQFtAQCCAoBOa+LAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1709,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":2,"flow_src_last_pkt_time":1499347172098409,"flow_dst_last_pkt_time":1499347172098530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347172098530,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1FoQ75vBzSLZxqAScSAB9QAAAgQFtAQCCAoD44ECATmviwEDAwc="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1710,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":3,"flow_src_last_pkt_time":1499347172099279,"flow_dst_last_pkt_time":1499347172098530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347172099279,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0dk9AAD4GT4msEAABwKgKMtRaAFDNItnGEO+bwoAQAOWg\/AAAAQEICgE5r4sD44EC"}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1714,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347163177633,"flow_src_last_pkt_time":1499347173124164,"flow_dst_last_pkt_time":1499347172102919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347173124164,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54268,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":608768.2,"max":3827235,"stddev":943347.2,"var":889903972352.0,"ent":3.7,"data": [107,901,3826349,3827235,3096,3895,1023011,1026934,3928,268230,273681,5427,1005208,1009216,4030,256246,259862,3614,1006897,1010591,3696,250084,253817,3763,1011263,1016096,4808,241019,244651,3645,1020517,0]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.6,"var":570947.8,"ent":4.2,"data": [74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1931,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1714,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347163177633,"flow_src_last_pkt_time":1499347173124164,"flow_dst_last_pkt_time":1499347172102919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347173124164,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54268,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":608768.2,"max":3827235,"stddev":943347.2,"var":889903972352.0,"ent":3.7,"data": [107,901,3826349,3827235,3096,3895,1023011,1026934,3928,268230,273681,5427,1005208,1009216,4030,256246,259862,3614,1006897,1010591,3696,250084,253817,3763,1011263,1016096,4808,241019,244651,3645,1020517]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.6,"var":570947.8,"ent":4.2,"data": [74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1931,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1717,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347173373791,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373791,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347173373791,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54376,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1717,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":1,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373791,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347173373791,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8XK1AAD4GaSOsEAABwKgKMtRoAFDpcOxnAAAAAKACchACbwAAAgQFtAQCCAoBObDKAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1718,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":2,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373905,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347173373905,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1GhwCsiK6XDsaKAScSBElAAAAgQFtAQCCAoD44JBATmwygEDAwc="}
@@ -800,7 +800,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2235,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":1,"flow_src_last_pkt_time":1499347235716450,"flow_dst_last_pkt_time":1499347235716450,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347235716450,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8wLxAAD4GBRSsEAABwKgKMtb+AFAtaC0QAAAAAKACchA+VwAAAgQFtAQCCAoBOe2sAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2236,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_src_last_pkt_time":1499347235716450,"flow_dst_last_pkt_time":1499347235716582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347235716582,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1v760xqZLWgtEaAScSBmwwAAAgQFtAQCCAoD478iATntrAEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2237,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":3,"flow_src_last_pkt_time":1499347235717314,"flow_dst_last_pkt_time":1499347235716582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347235717314,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0wL1AAD4GBRusEAABwKgKMtb+AFAtaC0R+tMamoAQAOUFywAAAQEICgE57awD478i"}
-01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2247,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":152,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347228091325,"flow_src_last_pkt_time":1499347237016547,"flow_dst_last_pkt_time":1499347236759533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16317,"midstream":0,"thread_ts_usec":1499347237016547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54956,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":567530.0,"max":3642588,"stddev":903579.0,"var":816455024640.0,"ent":3.6,"data": [95,698,3641887,3642588,3124,4095,234104,238457,4183,1006077,1010963,4878,233120,236850,3778,1005601,1010652,5027,236201,239833,3605,1006827,1010500,3683,232616,236267,3614,1034871,1038879,4091,256266,0]},"pktlen": {"min":66,"avg":727.7,"max":1935,"stddev":750.8,"var":563712.5,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1929,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01891{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2247,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":152,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347228091325,"flow_src_last_pkt_time":1499347237016547,"flow_dst_last_pkt_time":1499347236759533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16317,"midstream":0,"thread_ts_usec":1499347237016547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54956,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":567530.0,"max":3642588,"stddev":903579.0,"var":816455024640.0,"ent":3.6,"data": [95,698,3641887,3642588,3124,4095,234104,238457,4183,1006077,1010963,4878,233120,236850,3778,1005601,1010652,5027,236201,239833,3605,1006827,1010500,3683,232616,236267,3614,1034871,1038879,4091,256266]},"pktlen": {"min":66,"avg":727.7,"max":1935,"stddev":750.8,"var":563712.5,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1929,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2253,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260432,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347238260432,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2253,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260432,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347238260432,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8N5lAAD4GjjesEAABwKgKMtcYAFCMG8exAAAAAKACchBCbAAAAgQFtAQCCAoBOfAoAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2254,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260538,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347238260538,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1xiQuLeAjBvHsqAScSA1kAAAAgQFtAQCCAoD48GeATnwKAEDAwc="}
@@ -1019,7 +1019,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2770,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":1,"flow_src_last_pkt_time":1499347300263398,"flow_dst_last_pkt_time":1499347300263398,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347300263398,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8bohAAD4GV0isEAABwKgKMtmuAFBvk0I9AAAAAKACchClRQAAAgQFtAQCCAoBOiy1AAAAAAEDAwc="}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2771,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":2,"flow_src_last_pkt_time":1499347300263398,"flow_dst_last_pkt_time":1499347300263526,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347300263526,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ2a7Gy0E5b5NCPqAScSCcEAAAAgQFtAQCCAoD4\/4rATostQEDAwc="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2772,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":3,"flow_src_last_pkt_time":1499347300264292,"flow_dst_last_pkt_time":1499347300263526,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347300264292,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0bolAAD4GV0+sEAABwKgKMtmuAFBvk0I+xstBOoAQAOU7GAAAAQEICgE6LLUD4\/4r"}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2779,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":190,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347291442976,"flow_src_last_pkt_time":1499347301278351,"flow_dst_last_pkt_time":1499347300267830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16422,"midstream":0,"thread_ts_usec":1499347301278351,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55632,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":601942.8,"max":3784925,"stddev":935922.8,"var":875951489024.0,"ent":3.7,"data": [124,875,3784070,3784925,3065,3805,1003969,1007602,3694,223699,227380,3680,1007795,1011581,3778,255776,259460,3650,1007868,1011955,4221,230369,234793,4295,1037481,1041928,4473,238345,242041,3668,1009864,0]},"pktlen": {"min":66,"avg":730.9,"max":1935,"stddev":755.9,"var":571323.5,"ent":4.2,"data": [74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2779,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":190,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347291442976,"flow_src_last_pkt_time":1499347301278351,"flow_dst_last_pkt_time":1499347300267830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16422,"midstream":0,"thread_ts_usec":1499347301278351,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55632,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":601942.8,"max":3784925,"stddev":935922.8,"var":875951489024.0,"ent":3.7,"data": [124,875,3784070,3784925,3065,3805,1003969,1007602,3694,223699,227380,3680,1007795,1011581,3778,255776,259460,3650,1007868,1011955,4221,230369,234793,4295,1037481,1041928,4473,238345,242041,3668,1009864]},"pktlen": {"min":66,"avg":730.9,"max":1935,"stddev":755.9,"var":571323.5,"ent":4.2,"data": [74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2782,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347301520809,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347301520809,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55740,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2782,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_packet_id":1,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520809,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347301520809,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80Q9AAD4G9MCsEAABwKgKMtm8AFCdpvzgAAAAAKACchC7RgAAAgQFtAQCCAoBOi3vAAAAAAEDAwc="}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2783,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_packet_id":2,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520933,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347301520933,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ2bw9W3Mnnab84aAScSAIWgAAAgQFtAQCCAoD4\/9lATot7wEDAwc="}
@@ -1252,7 +1252,7 @@
 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347235716450,"flow_src_last_pkt_time":1499347241682595,"flow_dst_last_pkt_time":1499347241682043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55038,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347243683907,"flow_dst_last_pkt_time":1499347243683316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347243683907,"flow_dst_last_pkt_time":1499347243683316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
-01891{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3305,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1499347355229572,"flow_src_last_pkt_time":1499347365069246,"flow_dst_last_pkt_time":1499347365072209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347365072209,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56306,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":634913.3,"max":4805402,"stddev":1169757.4,"var":1368332173312.0,"ent":3.4,"data": [124,694,4804702,4805402,3052,3844,248597,252202,3707,1022416,1026219,3805,225184,229157,49,3959,1026815,1030902,4151,232536,236200,80,3611,1006031,1010739,4812,233237,236850,3621,1007952,1011661,0]},"pktlen": {"min":66,"avg":709.6,"max":1934,"stddev":708.0,"var":501313.9,"ent":4.3,"data": [74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1514,486,66,449,1836,66,651,1514,486,66,449,1836,66,651,1934,66,449,1836]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01889{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3305,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1499347355229572,"flow_src_last_pkt_time":1499347365069246,"flow_dst_last_pkt_time":1499347365072209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347365072209,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56306,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":634913.3,"max":4805402,"stddev":1169757.4,"var":1368332173312.0,"ent":3.4,"data": [124,694,4804702,4805402,3052,3844,248597,252202,3707,1022416,1026219,3805,225184,229157,49,3959,1026815,1030902,4151,232536,236200,80,3611,1006031,1010739,4812,233237,236850,3621,1007952,1011661]},"pktlen": {"min":66,"avg":709.6,"max":1934,"stddev":708.0,"var":501313.9,"ent":4.3,"data": [74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1514,486,66,449,1836,66,651,1514,486,66,449,1836,66,651,1934,66,449,1836]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3307,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347365320773,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347365320773,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56414,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3307,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_packet_id":1,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320773,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347365320773,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8CZFAAD4GvD+sEAABwKgKMtxeAFCYJmWsAAAAAKACchAXCwAAAgQFtAQCCAoBOmw9AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3308,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_packet_id":2,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320933,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347365320933,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3F6n4QiemCZlraAScSAl0wAAAgQFtAQCCAoD5D2zATpsPQEDAwc="}
@@ -1481,7 +1481,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3844,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":1,"flow_src_last_pkt_time":1499347428671151,"flow_dst_last_pkt_time":1499347428671151,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347428671151,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8vFFAAD4GCX+sEAABwKgKMt8CAFCqwBZKAAAAAKACchATUQAAAgQFtAQCCAoBOqobAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3845,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":2,"flow_src_last_pkt_time":1499347428671151,"flow_dst_last_pkt_time":1499347428671287,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347428671287,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3wITPWXXqsAWS6AScSAbpgAAAgQFtAQCCAoD5HuRATqqGwEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3846,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":3,"flow_src_last_pkt_time":1499347428672036,"flow_dst_last_pkt_time":1499347428671287,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347428672036,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0vFJAAD4GCYasEAABwKgKMt8CAFCqwBZLEz1l2IAQAOW6rQAAAQEICgE6qhsD5HuR"}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3853,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":265,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347419786749,"flow_src_last_pkt_time":1499347429693747,"flow_dst_last_pkt_time":1499347428675378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499347429693747,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56994,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":606310.6,"max":3818967,"stddev":944243.6,"var":891595915264.0,"ent":3.7,"data": [126,889,3818133,3818967,2889,3638,1026811,1031184,4412,231903,235642,3751,1006981,1010745,3756,236240,239931,3646,1008869,1012823,4179,228551,232759,4019,1040911,1048342,7412,251595,255221,3632,1017670,0]},"pktlen": {"min":66,"avg":730.7,"max":1934,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [74,74,66,651,66,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3853,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":265,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347419786749,"flow_src_last_pkt_time":1499347429693747,"flow_dst_last_pkt_time":1499347428675378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499347429693747,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56994,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":606310.6,"max":3818967,"stddev":944243.6,"var":891595915264.0,"ent":3.7,"data": [126,889,3818133,3818967,2889,3638,1026811,1031184,4412,231903,235642,3751,1006981,1010745,3756,236240,239931,3646,1008869,1012823,4179,228551,232759,4019,1040911,1048342,7412,251595,255221,3632,1017670]},"pktlen": {"min":66,"avg":730.7,"max":1934,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [74,74,66,651,66,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3862,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347431192783,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3862,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_packet_id":1,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192783,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347431192783,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8+sNAAD4GywysEAABwKgKMt8cAFA\/1VZRAAAAAKACchA7pAAAAgQFtAQCCAoBOqySAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3863,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_packet_id":2,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192884,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347431192884,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3xwMzQFkP9VWUqAScSCsZgAAAgQFtAQCCAoD5H4HATqskgEDAwc="}
@@ -1706,7 +1706,7 @@
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4384,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":1,"flow_src_last_pkt_time":1499347493167254,"flow_dst_last_pkt_time":1499347493167254,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347493167254,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8VdJAAD4Gb\/6sEAABwKgKMuGyAFCUXbzFAAAAAKACchBBjAAAAgQFtAQCCAoBOukXAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4385,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":2,"flow_src_last_pkt_time":1499347493167254,"flow_dst_last_pkt_time":1499347493167378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347493167378,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ4bJdzKzTlF28xqAScSB5WQAAAgQFtAQCCAoD5LqNATrpFwEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4386,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":3,"flow_src_last_pkt_time":1499347493168132,"flow_dst_last_pkt_time":1499347493167378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347493168132,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0VdNAAD4GcAWsEAABwKgKMuGyAFCUXbzGXcys1IAQAOUYYAAAAQEICgE66RgD5LqN"}
-01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4387,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":304,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347484263170,"flow_src_last_pkt_time":1499347493168704,"flow_dst_last_pkt_time":1499347492935868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347493168704,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57684,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":567039.8,"max":3536204,"stddev":877375.9,"var":769788411904.0,"ent":3.7,"data": [126,910,3535287,3536204,3041,3865,353475,357566,4142,1009473,1013529,4051,235924,239646,3697,1007485,1011210,3722,236124,239766,3661,1007627,1011378,3776,240922,244715,3743,1011730,1015517,3791,232129,0]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4387,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":304,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347484263170,"flow_src_last_pkt_time":1499347493168704,"flow_dst_last_pkt_time":1499347492935868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347493168704,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57684,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":567039.8,"max":3536204,"stddev":877375.9,"var":769788411904.0,"ent":3.7,"data": [126,910,3535287,3536204,3041,3865,353475,357566,4142,1009473,1013529,4051,235924,239646,3697,1007485,1011210,3722,236124,239766,3661,1007627,1011378,3776,240922,244715,3743,1011730,1015517,3791,232129]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4393,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347494446547,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347494446547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57792,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4393,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_packet_id":1,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347494446547,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8G1FAAD4Gqn+sEAABwKgKMuHAAFAmKfEGAAAAAKACchB6MQAAAgQFtAQCCAoBOupXAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4394,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_packet_id":2,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347494446686,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ4cATAV39JinxB6AScSBKYAAAAgQFtAQCCAoD5LvNATrqVwEDAwc="}
@@ -1944,7 +1944,7 @@
 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347428671151,"flow_src_last_pkt_time":1499347433734524,"flow_dst_last_pkt_time":1499347433733752,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57090,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347436733809,"flow_dst_last_pkt_time":1499347436733067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347436733809,"flow_dst_last_pkt_time":1499347436733067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":342,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347547687536,"flow_src_last_pkt_time":1499347557536513,"flow_dst_last_pkt_time":1499347556527820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16419,"midstream":0,"thread_ts_usec":1499347557536513,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58360,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":602879.4,"max":3809547,"stddev":940726.8,"var":884966883328.0,"ent":3.7,"data": [124,686,3808906,3809547,3416,4144,1007073,1011285,4302,225901,229521,3769,1021770,1025776,4116,233969,238478,4482,1006263,1010669,4325,238452,243200,4543,1006668,1011166,4498,253524,257102,3581,1008005,0]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571097.9,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":342,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347547687536,"flow_src_last_pkt_time":1499347557536513,"flow_dst_last_pkt_time":1499347556527820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16419,"midstream":0,"thread_ts_usec":1499347557536513,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58360,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":602879.4,"max":3809547,"stddev":940726.8,"var":884966883328.0,"ent":3.7,"data": [124,686,3808906,3809547,3416,4144,1007073,1011285,4302,225901,229521,3769,1021770,1025776,4116,233969,238478,4482,1006263,1010669,4325,238452,243200,4543,1006668,1011166,4498,253524,257102,3581,1008005]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571097.9,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4927,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347557789292,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789292,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347557789292,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58468,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4927,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_packet_id":1,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789292,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347557789292,"pkt":"ABm5CmnxAMGxFOsxCABFAAA82zBAAD4G6p+sEAABwKgKMuRkAFBn0PMDAAAAAKACchD2DAAAAgQFtAQCCAoBOygzAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4928,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_packet_id":2,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789349,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347557789349,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5GT+u1l1Z9DzBKAScSChLQAAAgQFtAQCCAoD5PmoATsoMwEDAwc="}
@@ -2169,7 +2169,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5444,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":1,"flow_src_last_pkt_time":1499347618757865,"flow_dst_last_pkt_time":1499347618757865,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347618757865,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8UcRAAD4GdAysEAABwKgKMub0AFCevDJ5AAAAAKACchBBkQAAAgQFtAQCCAoBO2O9AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5445,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":2,"flow_src_last_pkt_time":1499347618757865,"flow_dst_last_pkt_time":1499347618757988,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347618757988,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5vRXo2m0nrwyeqAScSBIAQAAAgQFtAQCCAoD5TUyATtjvQEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5446,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":3,"flow_src_last_pkt_time":1499347618758844,"flow_dst_last_pkt_time":1499347618757988,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347618758844,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0UcVAAD4GdBOsEAABwKgKMub0AFCevDJ6V6NptYAQAOXnBwAAAQEICgE7Y74D5TUy"}
-01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5461,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":380,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347611162032,"flow_src_last_pkt_time":1499347621032822,"flow_dst_last_pkt_time":1499347621031071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347621032822,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59042,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":636768.6,"max":4822860,"stddev":1172576.8,"var":1374936236032.0,"ent":3.4,"data": [143,1062,4821803,4822860,2874,5990,221999,227886,4985,1013,1004953,1011219,4071,265484,269299,3619,1019861,1023488,4016,238184,242252,4785,1005968,1010668,4015,237942,242400,5048,1010956,1015950,5036,0]},"pktlen": {"min":66,"avg":709.6,"max":1935,"stddev":759.8,"var":577334.1,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1935,66,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5461,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":380,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347611162032,"flow_src_last_pkt_time":1499347621032822,"flow_dst_last_pkt_time":1499347621031071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347621032822,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59042,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":636768.6,"max":4822860,"stddev":1172576.8,"var":1374936236032.0,"ent":3.4,"data": [143,1062,4821803,4822860,2874,5990,221999,227886,4985,1013,1004953,1011219,4071,265484,269299,3619,1019861,1023488,4016,238184,242252,4785,1005968,1010668,4015,237942,242400,5048,1010956,1015950,5036]},"pktlen": {"min":66,"avg":709.6,"max":1935,"stddev":759.8,"var":577334.1,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1935,66,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5462,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347621256083,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347621256083,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59150,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5462,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_packet_id":1,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347621256083,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8Hc9AAD4GqAGsEAABwKgKMucOAFD+NnvhAAAAAKACchCWIwAAAgQFtAQCCAoBO2YuAAAAAAEDAwc="}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5463,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_packet_id":2,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256213,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347621256213,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5w6DP0I9\/jZ74qAScSCV\/QAAAgQFtAQCCAoD5TejATtmLgEDAwc="}
@@ -2400,7 +2400,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6001,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":1,"flow_src_last_pkt_time":1499347684563427,"flow_dst_last_pkt_time":1499347684563427,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347684563427,"pkt":"ABm5CmnxAMGxFOsxCABFAAA82yNAAD4G6qysEAABwKgKMumyAFDf7X8iAAAAAKACchBwtAAAAgQFtAQCCAoBO6QBAAAAAAEDAwc="}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6002,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":2,"flow_src_last_pkt_time":1499347684563427,"flow_dst_last_pkt_time":1499347684563554,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347684563554,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ6bLDIQ3O3+1\/I6AScSAnSAAAAgQFtAQCCAoD5XV2ATukAQEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6003,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":3,"flow_src_last_pkt_time":1499347684564308,"flow_dst_last_pkt_time":1499347684563554,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347684564308,"pkt":"ABm5CmnxAMGxFOsxCABFAAA02yRAAD4G6rOsEAABwKgKMumyAFDf7X8jwyENz4AQAOXGTwAAAQEICgE7pAED5XV2"}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6010,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":419,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347675703973,"flow_src_last_pkt_time":1499347685575239,"flow_dst_last_pkt_time":1499347684567341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347685575239,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59732,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":604343.1,"max":3767000,"stddev":933372.4,"var":871184138240.0,"ent":3.7,"data": [122,677,3766369,3767000,3476,4237,1039907,1045427,5545,227268,230918,3646,1037098,1040865,3812,252859,256647,3763,1024020,1027777,3716,237350,240983,3608,1007832,1011497,3720,234952,238656,3696,1007191,0]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571022.8,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6010,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":419,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347675703973,"flow_src_last_pkt_time":1499347685575239,"flow_dst_last_pkt_time":1499347684567341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347685575239,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59732,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":604343.1,"max":3767000,"stddev":933372.4,"var":871184138240.0,"ent":3.7,"data": [122,677,3766369,3767000,3476,4237,1039907,1045427,5545,227268,230918,3646,1037098,1040865,3812,252859,256647,3763,1024020,1027777,3716,237350,240983,3608,1007832,1011497,3720,234952,238656,3696,1007191]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571022.8,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6022,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347687089585,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347687089585,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59852,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6022,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_packet_id":1,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347687089585,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8UahAAD4GdCisEAABwKgKMunMAFBn2\/fQAAAAAKACchBthwAAAgQFtAQCCAoBO6Z4AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6023,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_packet_id":2,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347687089686,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ6cx2j8kIZ9v30aAScSCy+wAAAgQFtAQCCAoD5XftATumeAEDAwc="}
@@ -2645,7 +2645,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6545,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":1,"flow_src_last_pkt_time":1499347752308453,"flow_dst_last_pkt_time":1499347752308453,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347752308453,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8qStAAD4GHKWsEAABwKgKMuyOAFBMoE8CAAAAAKACchDvHQAAAgQFtAQCCAoBO+YpAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6546,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":2,"flow_src_last_pkt_time":1499347752308453,"flow_dst_last_pkt_time":1499347752308578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347752308578,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ7I5f6lZGTKBPA6AScSB+SAAAAgQFtAQCCAoD5beeATvmKQEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6547,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":3,"flow_src_last_pkt_time":1499347752309233,"flow_dst_last_pkt_time":1499347752308578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347752309233,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0qSxAAD4GHKysEAABwKgKMuyOAFBMoE8DX+pWR4AQAOUdTwAAAQEICgE75ioD5bee"}
-01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6548,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":458,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347743331813,"flow_src_last_pkt_time":1499347752309607,"flow_dst_last_pkt_time":1499347752053014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347752309607,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60464,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":570935.4,"max":3582115,"stddev":886830.3,"var":786468044800.0,"ent":3.7,"data": [130,887,3581223,3582115,3304,4122,271038,275625,4605,1007486,1011252,3777,268863,273004,4125,1007482,1011640,4170,263574,267468,3888,1019754,1023735,4007,253226,261155,7923,1002871,1011773,8903,255870,0]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.7,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1931,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6548,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":458,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347743331813,"flow_src_last_pkt_time":1499347752309607,"flow_dst_last_pkt_time":1499347752053014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347752309607,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60464,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":570935.4,"max":3582115,"stddev":886830.3,"var":786468044800.0,"ent":3.7,"data": [130,887,3581223,3582115,3304,4122,271038,275625,4605,1007486,1011252,3777,268863,273004,4125,1007482,1011640,4170,263574,267468,3888,1019754,1023735,4007,253226,261155,7923,1002871,1011773,8903,255870]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.7,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1931,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6557,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347753649698,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347753649698,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60572,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6557,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_packet_id":1,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649698,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347753649698,"pkt":"ABm5CmnxAMGxFOsxCABFAAA825ZAAD4G6jmsEAABwKgKMuycAFCJVjzvAAAAAKACchDDHAAAAgQFtAQCCAoBO+d5AAAAAAEDAwc="}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6558,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_packet_id":2,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649826,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347753649826,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ7Jyb\/4pAiVY88KAScSDg6AAAAgQFtAQCCAoD5bjtATvneQEDAwc="}
@@ -2868,7 +2868,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7073,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":1,"flow_src_last_pkt_time":1499347816657942,"flow_dst_last_pkt_time":1499347816657942,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347816657942,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8lQ1AAD4GMMOsEAABwKgKMoDqAFAyzLAMAAAAAKACchDUswAAAgQFtAQCCAoBPCUBAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7074,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":2,"flow_src_last_pkt_time":1499347816657942,"flow_dst_last_pkt_time":1499347816658067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347816658067,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQgOp6zxHVMsywDaAScSBOkwAAAgQFtAQCCAoD5fZ1ATwlAQEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7075,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":3,"flow_src_last_pkt_time":1499347816658755,"flow_dst_last_pkt_time":1499347816658067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347816658755,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0lQ5AAD4GMMqsEAABwKgKMoDqAFAyzLANes8R1oAQAOXtmgAAAQEICgE8JQED5fZ1"}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7082,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":495,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347807664615,"flow_src_last_pkt_time":1499347817702402,"flow_dst_last_pkt_time":1499347816662711,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347817702402,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32906,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":158,"avg":614060.8,"max":3861987,"stddev":952957.6,"var":908128223232.0,"ent":3.7,"data": [158,871,3861200,3861987,3248,3959,1007386,1010966,3670,256861,260494,3559,1018334,1021980,3614,243418,246972,3620,1033482,1037187,3726,244230,248333,4100,1037495,1041661,4162,261455,265110,3630,1039015,0]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.6,"var":570948.0,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1930,66,449,1836,66,651,1935,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7082,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":495,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347807664615,"flow_src_last_pkt_time":1499347817702402,"flow_dst_last_pkt_time":1499347816662711,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347817702402,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32906,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":158,"avg":614060.8,"max":3861987,"stddev":952957.6,"var":908128223232.0,"ent":3.7,"data": [158,871,3861200,3861987,3248,3959,1007386,1010966,3670,256861,260494,3559,1018334,1021980,3614,243418,246972,3620,1033482,1037187,3726,244230,248333,4100,1037495,1041661,4162,261455,265110,3630,1039015]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.6,"var":570948.0,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1930,66,449,1836,66,651,1935,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347819250899,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819250899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347819250899,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33028,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_packet_id":1,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819250899,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347819250899,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8LORAAD4GmOysEAABwKgKMoEEAFDtQwttAAAAAKACchC8OQAAAgQFtAQCCAoBPCeJAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7095,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_packet_id":2,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819251024,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347819251024,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQgQQkyBmr7UMLbqAScSCBwQAAAgQFtAQCCAoD5fj+ATwniQEDAwc="}
@@ -3089,7 +3089,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7597,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":1,"flow_src_last_pkt_time":1499347881141710,"flow_dst_last_pkt_time":1499347881141710,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347881141710,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80HhAAD4G9VesEAABwKgKMoOKAFDzHbOCAAAAAKACchDPUgAAAgQFtAQCCAoBPGP6AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7598,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":2,"flow_src_last_pkt_time":1499347881141710,"flow_dst_last_pkt_time":1499347881141852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347881141852,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQg4pPHZMl8x2zg6AScSC0mgAAAgQFtAQCCAoD5jVuATxj+gEDAwc="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7599,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":3,"flow_src_last_pkt_time":1499347881142632,"flow_dst_last_pkt_time":1499347881141852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347881142632,"pkt":"ABm5CmnxAMGxFOsxCABFAAA00HlAAD4G9V6sEAABwKgKMoOKAFDzHbODTx2TJoAQAOVTogAAAQEICgE8Y\/oD5jVu"}
-01897{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7606,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":532,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347872187685,"flow_src_last_pkt_time":1499347882404199,"flow_dst_last_pkt_time":1499347882158637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499347882404199,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33580,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":651208.6,"max":4840595,"stddev":1171443.9,"var":1372280717312.0,"ent":3.5,"data": [126,862,4839753,4840595,3674,4464,263225,266840,3672,1005298,1009118,3796,260614,264369,3758,1024972,1028663,3708,266053,269708,3666,1007636,1011884,4257,260865,265134,4231,1006690,1010841,4181,244813,0]},"pktlen": {"min":66,"avg":727.8,"max":1935,"stddev":751.0,"var":564013.3,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1932,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7606,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":532,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347872187685,"flow_src_last_pkt_time":1499347882404199,"flow_dst_last_pkt_time":1499347882158637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499347882404199,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33580,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":651208.6,"max":4840595,"stddev":1171443.9,"var":1372280717312.0,"ent":3.5,"data": [126,862,4839753,4840595,3674,4464,263225,266840,3672,1005298,1009118,3796,260614,264369,3758,1024972,1028663,3708,266053,269708,3666,1007636,1011884,4257,260865,265134,4231,1006690,1010841,4181,244813]},"pktlen": {"min":66,"avg":727.8,"max":1935,"stddev":751.0,"var":564013.3,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1932,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7607,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347882404247,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347882404247,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33688,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7607,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_packet_id":1,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404247,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347882404247,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8eWdAAD4GTGmsEAABwKgKMoOYAFA4phxRAAAAAKACchAfsgAAAgQFtAQCCAoBPGU2AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7608,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_packet_id":2,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404320,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347882404320,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQg5hCgWTIOKYcUqAScSA+twAAAgQFtAQCCAoD5jaqATxlNgEDAwc="}
@@ -3304,7 +3304,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8117,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":1,"flow_src_last_pkt_time":1499347945720318,"flow_dst_last_pkt_time":1499347945720318,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347945720318,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8sjdAAD4GE5msEAABwKgKMoYqAFDdpBE8AAAAAKACchBFYQAAAgQFtAQCCAoBPKMLAAAAAAEDAwc="}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8118,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":2,"flow_src_last_pkt_time":1499347945720318,"flow_dst_last_pkt_time":1499347945720417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347945720417,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQhiqh1kGM3aQRPaAScSDqdwAAAgQFtAQCCAoD5nR\/ATyjCwEDAwc="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8119,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":3,"flow_src_last_pkt_time":1499347945721181,"flow_dst_last_pkt_time":1499347945720417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347945721181,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0sjhAAD4GE6CsEAABwKgKMoYqAFDdpBE9odZBjYAQAOWJfwAAAQEICgE8owsD5nR\/"}
-01987{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":569,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347939286105,"flow_src_last_pkt_time":1499347947010010,"flow_dst_last_pkt_time":1499347947009327,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4457,"flow_dst_tot_l4_payload_len":16413,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34278,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":171,"avg":498294.4,"max":2588369,"stddev":688746.1,"var":474371129344.0,"ent":3.7,"data": [171,739,2587661,2588369,3663,4498,1020517,1024859,4382,244684,248374,3703,1042345,1046980,4607,242309,245980,3660,1031191,1034926,3726,241353,245065,3596,495,1025211,1029311,3750,251257,255524,4221,0]},"pktlen": {"min":66,"avg":718.7,"max":1934,"stddev":762.8,"var":581830.0,"ent":4.2,"data": [74,74,66,651,66,1932,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,66,449,1836,66,651,1932,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01985{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":569,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347939286105,"flow_src_last_pkt_time":1499347947010010,"flow_dst_last_pkt_time":1499347947009327,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4457,"flow_dst_tot_l4_payload_len":16413,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34278,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":171,"avg":498294.4,"max":2588369,"stddev":688746.1,"var":474371129344.0,"ent":3.7,"data": [171,739,2587661,2588369,3663,4498,1020517,1024859,4382,244684,248374,3703,1042345,1046980,4607,242309,245980,3660,1031191,1034926,3726,241353,245065,3596,495,1025211,1029311,3750,251257,255524,4221]},"pktlen": {"min":66,"avg":718.7,"max":1934,"stddev":762.8,"var":581830.0,"ent":4.2,"data": [74,74,66,651,66,1932,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,66,449,1836,66,651,1932,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":498,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347812797349,"flow_src_last_pkt_time":1499347817844555,"flow_dst_last_pkt_time":1499347817843831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32960,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":498,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347812797349,"flow_src_last_pkt_time":1499347817844555,"flow_dst_last_pkt_time":1499347817843831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32960,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":499,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347814066618,"flow_src_last_pkt_time":1499347819845842,"flow_dst_last_pkt_time":1499347819845138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32974,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
@@ -3545,7 +3545,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8666,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":1,"flow_src_last_pkt_time":1499348012728762,"flow_dst_last_pkt_time":1499348012728762,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348012728762,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8MbdAAD4GlBmsEAABwKgKMojoAFBoxNXMAAAAAKACchCxggAAAgQFtAQCCAoBPOR7AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8667,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":2,"flow_src_last_pkt_time":1499348012728762,"flow_dst_last_pkt_time":1499348012728872,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348012728872,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQiOhwV55UaMTVzaAScSDp3wAAAgQFtAQCCAoD5rXvATzkewEDAwc="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":3,"flow_src_last_pkt_time":1499348012729471,"flow_dst_last_pkt_time":1499348012728872,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499348012729471,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0MbhAAD4GlCCsEAABwKgKMojoAFBoxNXNcFeeVYAQAOWI5wAAAQEICgE85HsD5rXv"}
-01897{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":606,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348002450018,"flow_src_last_pkt_time":1499348012729966,"flow_dst_last_pkt_time":1499348012487215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499348012729966,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34940,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":655391.8,"max":4897215,"stddev":1186666.9,"var":1408178323456.0,"ent":3.5,"data": [168,874,4896388,4897215,3139,3939,250433,254530,4103,1006878,1011034,4128,267330,271177,3882,1007953,1011957,4030,246777,250412,3605,1038702,1042399,3673,241578,245223,3629,1046261,1049943,3750,242035,0]},"pktlen": {"min":66,"avg":727.8,"max":1934,"stddev":751.0,"var":564013.2,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":606,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348002450018,"flow_src_last_pkt_time":1499348012729966,"flow_dst_last_pkt_time":1499348012487215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499348012729966,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34940,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":655391.8,"max":4897215,"stddev":1186666.9,"var":1408178323456.0,"ent":3.5,"data": [168,874,4896388,4897215,3139,3939,250433,254530,4103,1006878,1011034,4128,267330,271177,3882,1007953,1011957,4030,246777,250412,3605,1038702,1042399,3673,241578,245223,3629,1046261,1049943,3750,242035]},"pktlen": {"min":66,"avg":727.8,"max":1934,"stddev":751.0,"var":564013.2,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8684,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499348015250467,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250467,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499348015250467,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35074,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8684,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_packet_id":1,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250467,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348015250467,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8SaJAAD4GfC6sEAABwKgKMokCAFA1NK9QAAAAAKACchAI\/gAAAgQFtAQCCAoBPObyAAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8685,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_packet_id":2,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250592,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348015250592,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQiQJJKiEWNTSvUaAScSDjTwAAAgQFtAQCCAoD5rhmATzm8gEDAwc="}
@@ -3762,7 +3762,7 @@
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9192,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":1,"flow_src_last_pkt_time":1499348077218866,"flow_dst_last_pkt_time":1499348077218866,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348077218866,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80HtAAD4G9VSsEAABwKgKMouKAFBc0\/MNAAAAAKACchBelQAAAgQFtAQCCAoBPSN2AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9193,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":2,"flow_src_last_pkt_time":1499348077218866,"flow_dst_last_pkt_time":1499348077218968,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348077218968,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQi4oOSV5eXNPzDqAScSD5+wAAAgQFtAQCCAoD5vTqAT0jdgEDAwc="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9195,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":3,"flow_src_last_pkt_time":1499348077219749,"flow_dst_last_pkt_time":1499348077218968,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499348077219749,"pkt":"ABm5CmnxAMGxFOsxCABFAAA00HxAAD4G9VusEAABwKgKMouKAFBc0\/MODkleX4AQAOWZAwAAAQEICgE9I3YD5vTq"}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9201,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":643,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348068136241,"flow_src_last_pkt_time":1499348078263151,"flow_dst_last_pkt_time":1499348077222575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499348078263151,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35626,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":619782.1,"max":3953842,"stddev":972474.7,"var":945707024384.0,"ent":3.7,"data": [124,706,3953188,3953842,3024,3763,1020630,1024309,3710,248238,252345,4156,1041683,1045979,4295,255096,258771,3649,1007135,1010804,3655,252666,256217,3575,1010481,1014239,3761,262869,266680,3784,1039870,0]},"pktlen": {"min":66,"avg":730.7,"max":1934,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9201,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":643,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348068136241,"flow_src_last_pkt_time":1499348078263151,"flow_dst_last_pkt_time":1499348077222575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499348078263151,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35626,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":619782.1,"max":3953842,"stddev":972474.7,"var":945707024384.0,"ent":3.7,"data": [124,706,3953188,3953842,3024,3763,1020630,1024309,3710,248238,252345,4156,1041683,1045979,4295,255096,258771,3649,1007135,1010804,3655,252666,256217,3575,1010481,1014239,3761,262869,266680,3784,1039870]},"pktlen": {"min":66,"avg":730.7,"max":1934,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9204,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499348078531918,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078531918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499348078531918,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35736,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9204,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_packet_id":1,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078531918,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348078531918,"pkt":"ABm5CmnxAMGxFOsxCABFAAA86yNAAD4G2qysEAABwKgKMouYAFAizM+dAAAAAKACchC6tgAAAgQFtAQCCAoBPSS+AAAAAAEDAwc="}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9205,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_packet_id":2,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078532057,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348078532057,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQi5glYndPIszPnqAScSAkywAAAgQFtAQCCAoD5vYyAT0kvgEDAwc="}
@@ -3995,10 +3995,10 @@
 ~~ total active/idle flows...: 661/661
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7389326 bytes
-~~ total memory freed........: 7389326 bytes
+~~ total memory allocated....: 7386682 bytes
+~~ total memory freed........: 7386682 bytes
 ~~ total allocations/frees...: 137589/137589
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
-~~ json string max len.......: 1997 chars
-~~ json string avg len.......: 1247 chars
+~~ json string max len.......: 1995 chars
+~~ json string avg len.......: 1246 chars
diff --git a/test/results/activision.pcap.out b/test/results/activision.pcap.out
index 9be80221f..8e2e42cf6 100644
--- a/test/results/activision.pcap.out
+++ b/test/results/activision.pcap.out
@@ -36,8 +36,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042269 bytes
-~~ total memory freed........: 6042269 bytes
+~~ total memory allocated....: 6042253 bytes
+~~ total memory freed........: 6042253 bytes
 ~~ total allocations/frees...: 121577/121577
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/afp.pcap.out b/test/results/afp.pcap.out
index 048b92f15..9db2089c5 100644
--- a/test/results/afp.pcap.out
+++ b/test/results/afp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036109 bytes
-~~ total memory freed........: 6036109 bytes
+~~ total memory allocated....: 6036105 bytes
+~~ total memory freed........: 6036105 bytes
 ~~ total allocations/frees...: 121503/121503
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/agora-sd-rtn.pcap.out b/test/results/agora-sd-rtn.pcap.out
index 24ac021fb..4dca62efb 100644
--- a/test/results/agora-sd-rtn.pcap.out
+++ b/test/results/agora-sd-rtn.pcap.out
@@ -192,8 +192,8 @@
 ~~ total active/idle flows...: 26/26
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6088032 bytes
-~~ total memory freed........: 6088032 bytes
+~~ total memory allocated....: 6087928 bytes
+~~ total memory freed........: 6087928 bytes
 ~~ total allocations/frees...: 122140/122140
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/ah.pcapng.out b/test/results/ah.pcapng.out
index 6b0aef118..1a6d67175 100644
--- a/test/results/ah.pcapng.out
+++ b/test/results/ah.pcapng.out
@@ -20,8 +20,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037447 bytes
-~~ total memory freed........: 6037447 bytes
+~~ total memory allocated....: 6037439 bytes
+~~ total memory freed........: 6037439 bytes
 ~~ total allocations/frees...: 121503/121503
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/aimini-http.pcap.out b/test/results/aimini-http.pcap.out
index ec38372d2..341572b30 100644
--- a/test/results/aimini-http.pcap.out
+++ b/test/results/aimini-http.pcap.out
@@ -10,7 +10,7 @@
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1614860229386298,"flow_dst_last_pkt_time":1614860229385965,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229386298,"pkt":"ApXG95WRWgXZu6TVCABFAAAwBP8AAH8GIfsKZQACCmYAAm9WAFCbu7tlAAAAAHACgAEoiAAAAgQFtAMDAQA="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1614860229386298,"flow_dst_last_pkt_time":1614860229386303,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229386303,"pkt":"WgXZu6TVApXG95WRCABFAAAwBQ0AAIAGAAAKZgACCmUAAgBQb1abu8Cxm7u7ZnASgAEU8QAAAgQFtAMDAQA="}
 01204{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1614860229385965,"flow_src_last_pkt_time":1614860229386487,"flow_dst_last_pkt_time":1614860229386479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":524,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":524,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614860229386487,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28502,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download","hostname":"www.aimini.com","http": {"url":"www.aimini.com\/webcounter\/w.php?___hm=.net_SignUp_&_lh_=http:\/\/www.aimini.net\/member\/signup\/&__Refer_=http:\/\/www.aimini.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko\/20110420 Firefox\/3.6.17","detected_os":"Windows"}}}
-01652{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614860229383219,"flow_src_last_pkt_time":1614860229387313,"flow_dst_last_pkt_time":1614860229385946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4110,"flow_dst_tot_l4_payload_len":20912,"midstream":0,"thread_ts_usec":1614860229387313,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28501,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":220.0,"max":1148,"stddev":358.7,"var":128687.4,"ent":3.4,"data": [532,1116,414,1004,27,697,105,894,3,1,2,1,1,2,2,191,11,276,4,1,4,2,1,3,3,78,197,1,99,1148,1,0]},"pktlen": {"min":60,"avg":838.4,"max":1514,"stddev":690.0,"var":476082.3,"ent":4.4,"data": [62,62,62,62,60,649,60,649,1514,1514,1514,1514,1514,1514,1514,290,1514,1514,60,1514,1514,60,1514,1514,60,1514,290,60,60,60,1514,1514]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download"}}
+01650{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614860229383219,"flow_src_last_pkt_time":1614860229387313,"flow_dst_last_pkt_time":1614860229385946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4110,"flow_dst_tot_l4_payload_len":20912,"midstream":0,"thread_ts_usec":1614860229387313,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28501,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":220.0,"max":1148,"stddev":358.7,"var":128687.4,"ent":3.4,"data": [532,1116,414,1004,27,697,105,894,3,1,2,1,1,2,2,191,11,276,4,1,4,2,1,3,3,78,197,1,99,1148,1]},"pktlen": {"min":60,"avg":838.4,"max":1514,"stddev":690.0,"var":476082.3,"ent":4.4,"data": [62,62,62,62,60,649,60,649,1514,1514,1514,1514,1514,1514,1514,290,1514,1514,60,1514,1514,60,1514,1514,60,1514,290,60,60,60,1514,1514]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download"}}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1614860229388780,"flow_src_last_pkt_time":1614860229388780,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614860229388780,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28503,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1614860229388780,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229388780,"pkt":"5kBKB+riApXG95NLCABFAAAwBREAAIAGAAAKZQACCmYAAm9XAFCbu+drAAAAAHACgAEU8QAAAgQFtAMDAQA="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1614860229389055,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229389055,"pkt":"ApXG95WRWgXZu6TVCABFAAAwBREAAH8GIekKZQACCmYAAm9XAFCbu+drAAAAAHACgAH8gAAAAgQFtAMDAQA="}
@@ -34,10 +34,10 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045592 bytes
-~~ total memory freed........: 6045592 bytes
+~~ total memory allocated....: 6045576 bytes
+~~ total memory freed........: 6045576 bytes
 ~~ total allocations/frees...: 121676/121676
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
-~~ json string max len.......: 1657 chars
-~~ json string avg len.......: 1075 chars
+~~ json string max len.......: 1655 chars
+~~ json string avg len.......: 1074 chars
diff --git a/test/results/ajp.pcap.out b/test/results/ajp.pcap.out
index 4b74371c5..29270a63b 100644
--- a/test/results/ajp.pcap.out
+++ b/test/results/ajp.pcap.out
@@ -45,8 +45,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038027 bytes
-~~ total memory freed........: 6038027 bytes
+~~ total memory allocated....: 6038019 bytes
+~~ total memory freed........: 6038019 bytes
 ~~ total allocations/frees...: 121523/121523
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 205 chars
diff --git a/test/results/alexa-app.pcapng.out b/test/results/alexa-app.pcapng.out
index 07d8ada40..c338ded1f 100644
--- a/test/results/alexa-app.pcapng.out
+++ b/test/results/alexa-app.pcapng.out
@@ -200,7 +200,7 @@
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1490976042101270,"flow_dst_last_pkt_time":1490976042099362,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976042101270,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0AfRAAEAGW7qsECrYNFXR2NSNAbumNE9Ps3pFE4AQAVdxMgAAAQEICgD2TsJtF6Xz"}
 01118{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":282,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042149888,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1490976042149888,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01596{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":284,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042150550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1490976042150550,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}}
-01573{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":47,"avg":22128.4,"max":90510,"stddev":31052.4,"var":964249024.0,"ent":3.6,"data": [46971,52965,277,73178,134,18906,393,341,423,88175,318,744,233,8121,32759,75313,63701,49446,70919,806,90510,2043,419,465,407,524,703,47,5315,294,1129,0]},"pktlen": {"min":66,"avg":594.3,"max":1514,"stddev":637.0,"var":405792.1,"ent":4.1,"data": [74,74,66,268,66,66,1514,1514,1514,833,66,66,66,66,192,1096,308,66,66,1514,1514,66,1514,1514,1514,464,1514,1126,100,66,66,66]},"bins": {"c_to_s": [11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0]}}
+01571{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":47,"avg":22128.4,"max":90510,"stddev":31052.4,"var":964249024.0,"ent":3.6,"data": [46971,52965,277,73178,134,18906,393,341,423,88175,318,744,233,8121,32759,75313,63701,49446,70919,806,90510,2043,419,465,407,524,703,47,5315,294,1129]},"pktlen": {"min":66,"avg":594.3,"max":1514,"stddev":637.0,"var":405792.1,"ent":4.1,"data": [74,74,66,268,66,66,1514,1514,1514,833,66,66,66,66,192,1096,308,66,66,1514,1514,66,1514,1514,1514,464,1514,1126,100,66,66,66]},"bins": {"c_to_s": [11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0]}}
 01601{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}}
 01149{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":317,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302047,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976042302047,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01503{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":319,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302667,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976042302667,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}}
@@ -211,7 +211,7 @@
 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976043611721,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043611721,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976043611721,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 00193{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":392,"source":"alexa-app.pcapng","alias":"nDPId-test","layer_type":35085,"global_ts_usec":1490976043617123}
 00360{"packet_event_id":1,"packet_event_name":"packet","packet_id":392,"source":"alexa-app.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":35085,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1490976043612089,"pkt":"AMDKkaPvePiC0\/vCiQ0CDAoBZRIAwMqRdPh4+ILT+8IAwMqRo+\/dFACgxgAAAAAAAAAAAAAAAAAAAAAA"}
-01867{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":394,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976041156517,"flow_src_last_pkt_time":1490976043655892,"flow_dst_last_pkt_time":1490976043654956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4861,"flow_dst_tot_l4_payload_len":5515,"midstream":0,"thread_ts_usec":1490976043655892,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":70,"avg":161219.8,"max":1015894,"stddev":286084.3,"var":81844248576.0,"ent":3.4,"data": [55686,59305,1428,66601,358,70,64102,4784,271,2661,66908,3070,100753,8343,108356,5909,66864,500848,354092,941132,3002,88712,111843,176480,211,64686,9150,104205,1015894,966451,45639,0]},"pktlen": {"min":54,"avg":380.2,"max":1514,"stddev":485.1,"var":235358.5,"ent":4.0,"data": [74,62,54,261,1514,1514,399,54,54,54,380,60,113,54,1136,60,955,54,1120,1120,60,507,54,1168,60,891,54,54,60,54,60,54]},"bins": {"c_to_s": [12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01865{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":394,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976041156517,"flow_src_last_pkt_time":1490976043655892,"flow_dst_last_pkt_time":1490976043654956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4861,"flow_dst_tot_l4_payload_len":5515,"midstream":0,"thread_ts_usec":1490976043655892,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":70,"avg":161219.8,"max":1015894,"stddev":286084.3,"var":81844248576.0,"ent":3.4,"data": [55686,59305,1428,66601,358,70,64102,4784,271,2661,66908,3070,100753,8343,108356,5909,66864,500848,354092,941132,3002,88712,111843,176480,211,64686,9150,104205,1015894,966451,45639]},"pktlen": {"min":54,"avg":380.2,"max":1514,"stddev":485.1,"var":235358.5,"ent":4.0,"data": [74,62,54,261,1514,1514,399,54,54,54,380,60,113,54,1136,60,955,54,1120,1120,60,507,54,1168,60,891,54,54,60,54,60,54]},"bins": {"c_to_s": [12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":397,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043811357,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976043811357,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP0pFAAEARuxKsECoBrBAq2AA1qVYAO\/ZCveGBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAAbAARIFc6H"}
 01021{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":397,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976043611721,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043811357,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976043811357,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.135"}}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":398,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976043814090,"flow_src_last_pkt_time":1490976043814090,"flow_dst_last_pkt_time":1490976043814090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976043814090,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -271,7 +271,7 @@
 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":495,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976044509891,"flow_src_last_pkt_time":1490976044595782,"flow_dst_last_pkt_time":1490976044687978,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976044687978,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45678,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}}
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":4,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976044649888,"flow_dst_last_pkt_time":1490976044708534,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":615,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976044708534,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01490{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":513,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976044649888,"flow_dst_last_pkt_time":1490976044708747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":615,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976044708747,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}}
-01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":166773.2,"max":835939,"stddev":244032.9,"var":59552047104.0,"ent":3.7,"data": [54151,55408,518,50304,258867,520111,785264,3831,152,61,38,60785,290,133,140,52112,10967,286978,223908,2741,139187,177,171943,179936,143,402714,22375,216464,783828,835939,50504,0]},"pktlen": {"min":54,"avg":401.0,"max":1514,"stddev":534.6,"var":285800.0,"ent":3.9,"data": [74,62,54,259,60,259,259,60,1514,1514,1514,688,54,54,54,54,180,1514,105,482,60,60,480,54,1514,1210,60,357,54,54,60,54]},"bins": {"c_to_s": [10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0]}}
+01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":166773.2,"max":835939,"stddev":244032.9,"var":59552047104.0,"ent":3.7,"data": [54151,55408,518,50304,258867,520111,785264,3831,152,61,38,60785,290,133,140,52112,10967,286978,223908,2741,139187,177,171943,179936,143,402714,22375,216464,783828,835939,50504]},"pktlen": {"min":54,"avg":401.0,"max":1514,"stddev":534.6,"var":285800.0,"ent":3.9,"data": [74,62,54,259,60,259,259,60,1514,1514,1514,688,54,54,54,54,180,1514,105,482,60,60,480,54,1514,1210,60,357,54,54,60,54]},"bins": {"c_to_s": [10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0]}}
 01494{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976046418630,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976046418630,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45680,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976046418630,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8dehAAEAG0QasECrYNF7ohrJwAbub2CWZAAAAAKAC\/\/+NLQAAAgQFtAQCCAoA9lBxAAAAAAEDAwg="}
@@ -309,7 +309,7 @@
 01061{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976047563011,"flow_src_last_pkt_time":1490976047631468,"flow_dst_last_pkt_time":1490976047629213,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":237,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":237,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976047631468,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42143,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976047560420,"flow_src_last_pkt_time":1490976047610667,"flow_dst_last_pkt_time":1490976047664674,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1490976047664674,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54427,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","ja3":"5ee142340adf02ded757447e2ff78986","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":704,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490976047563011,"flow_src_last_pkt_time":1490976047631468,"flow_dst_last_pkt_time":1490976047695425,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":237,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":237,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1490976047695425,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42143,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
-01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":711,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976047050685,"flow_src_last_pkt_time":1490976047738970,"flow_dst_last_pkt_time":1490976047737869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":510,"flow_src_tot_l4_payload_len":18550,"flow_dst_tot_l4_payload_len":666,"midstream":0,"thread_ts_usec":1490976047738970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":44370.0,"max":352057,"stddev":78836.5,"var":6215196160.0,"ent":3.5,"data": [57034,58621,1781,56791,4768,135,59291,267,22886,80040,5852,71839,321,148,565,303,201,1403,296,114,67763,34752,23901,352057,295338,129,57737,650,60553,128,59805,0]},"pktlen": {"min":54,"avg":657.2,"max":1514,"stddev":676.9,"var":458225.8,"ent":4.2,"data": [74,62,54,313,60,60,210,54,105,820,60,564,1514,1439,1514,1514,1514,1514,1514,1514,83,60,60,60,1514,60,60,1514,1514,60,60,1514]},"bins": {"c_to_s": [4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0],"s_to_c": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":711,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976047050685,"flow_src_last_pkt_time":1490976047738970,"flow_dst_last_pkt_time":1490976047737869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":510,"flow_src_tot_l4_payload_len":18550,"flow_dst_tot_l4_payload_len":666,"midstream":0,"thread_ts_usec":1490976047738970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":44370.0,"max":352057,"stddev":78836.5,"var":6215196160.0,"ent":3.5,"data": [57034,58621,1781,56791,4768,135,59291,267,22886,80040,5852,71839,321,148,565,303,201,1403,296,114,67763,34752,23901,352057,295338,129,57737,650,60553,128,59805]},"pktlen": {"min":54,"avg":657.2,"max":1514,"stddev":676.9,"var":458225.8,"ent":4.2,"data": [74,62,54,313,60,60,210,54,105,820,60,564,1514,1439,1514,1514,1514,1514,1514,1514,83,60,60,60,1514,60,60,1514,1514,60,60,1514]},"bins": {"c_to_s": [4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0],"s_to_c": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":719,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976047858519,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047858519,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976047858519,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42144,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":719,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047858519,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976047858519,"pkt":"AMDKkaPvePiC0\/vCCABFAAA84nJAAEAGasSsECrYSBXOh6SgAbtFc7NzAAAAAKAC\/\/9pQAAAAgQFtAQCCAoA9lEBAAAAAAEDAwg="}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":721,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":2,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047907178,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976047907178,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwsPFAAOcG9VBIFc6HrBAq2AG7pKCmhnFJRXOzdHASH\/6\/cgAAAgQFtAEDAwY="}
@@ -372,8 +372,8 @@
 01172{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":903,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068061060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976068066460,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":907,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174408,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976068174408,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01563{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":909,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":3330,"midstream":0,"thread_ts_usec":1490976068174770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}}
-01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":123,"avg":237241.0,"max":2896813,"stddev":560116.6,"var":313730662400.0,"ent":2.8,"data": [52937,67187,1048,63231,9607,59757,285,20918,462,225,155,1078,225,97487,133,7299,15901,484594,178,170,116007,306256,538314,1116565,2896813,279,153,126,123,583169,913790,0]},"pktlen": {"min":66,"avg":617.1,"max":1514,"stddev":665.4,"var":442821.7,"ent":4.1,"data": [74,74,66,583,66,222,66,117,1514,1514,139,1514,1514,1495,66,66,66,66,1514,1514,1223,1223,1514,1514,1514,66,78,78,78,78,66,66]},"bins": {"c_to_s": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":102165.5,"max":486056,"stddev":138313.6,"var":19130660864.0,"ent":3.7,"data": [92394,95354,2440,97381,1862,14105,301,61,113369,268,157,49644,132555,83310,183928,260,326122,293069,272379,138,443688,400,541,41,276469,199153,505,44,713,486056,423,0]},"pktlen": {"min":54,"avg":700.3,"max":1514,"stddev":682.0,"var":465082.8,"ent":4.2,"data": [74,62,54,275,60,60,1514,1514,464,54,54,54,180,105,54,1514,547,60,1514,60,60,1514,1514,1514,225,1514,1514,1514,225,1514,1514,1514]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1]}}
+01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":123,"avg":237241.0,"max":2896813,"stddev":560116.6,"var":313730662400.0,"ent":2.8,"data": [52937,67187,1048,63231,9607,59757,285,20918,462,225,155,1078,225,97487,133,7299,15901,484594,178,170,116007,306256,538314,1116565,2896813,279,153,126,123,583169,913790]},"pktlen": {"min":66,"avg":617.1,"max":1514,"stddev":665.4,"var":442821.7,"ent":4.1,"data": [74,74,66,583,66,222,66,117,1514,1514,139,1514,1514,1495,66,66,66,66,1514,1514,1223,1223,1514,1514,1514,66,78,78,78,78,66,66]},"bins": {"c_to_s": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":102165.5,"max":486056,"stddev":138313.6,"var":19130660864.0,"ent":3.7,"data": [92394,95354,2440,97381,1862,14105,301,61,113369,268,157,49644,132555,83310,183928,260,326122,293069,272379,138,443688,400,541,41,276469,199153,505,44,713,486056,423]},"pktlen": {"min":54,"avg":700.3,"max":1514,"stddev":682.0,"var":465082.8,"ent":4.2,"data": [74,62,54,275,60,60,1514,1514,464,54,54,54,180,105,54,1514,547,60,1514,60,60,1514,1514,1514,225,1514,1514,1514,225,1514,1514,1514]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1]}}
 01568{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976071237623,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976071237623,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packet_id":1,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976071237623,"pkt":"AMDKkaPvePiC0\/vCCABFAAA870hAAEAGV6asECrYNF7ohsHGAFAgR7VrAAAAAKAC\/\/9hTwAAAgQFtAQCCAoA9lojAAAAAAEDAwg="}
@@ -538,7 +538,7 @@
 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1324,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":91,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976089227335,"flow_src_last_pkt_time":1490976090192268,"flow_dst_last_pkt_time":1490976090038424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090192268,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45714,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1325,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976090192765,"flow_dst_last_pkt_time":1490976090038470,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090192765,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01327{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1327,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":93,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976089426961,"flow_src_last_pkt_time":1490976090196942,"flow_dst_last_pkt_time":1490976090038290,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":996,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":996,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090196942,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49630,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAlexa","proto_id":"7.110","encrypted":0,"breed":"Acceptable","category_id":32,"category":"VirtAssistant","hostname":"alexa.amazon.com","http": {"url":"alexa.amazon.com\/lib\/bootstrap\/img\/glyphicons-halflings.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}}
-01869{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1328,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976085644885,"flow_src_last_pkt_time":1490976090198099,"flow_dst_last_pkt_time":1490976090039279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":8230,"flow_dst_tot_l4_payload_len":2302,"midstream":0,"thread_ts_usec":1490976090198099,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":288632.5,"max":1569527,"stddev":416979.2,"var":173871693824.0,"ent":3.7,"data": [325447,332868,307,247719,185,241306,284,257,23807,287,429915,65,1569527,1485936,352980,706902,73800,283,358821,365,256619,3724,240,956217,948562,95336,235551,1125,68,275387,23718,0]},"pktlen": {"min":54,"avg":385.1,"max":1514,"stddev":516.0,"var":266233.0,"ent":4.0,"data": [74,62,54,293,139,107,54,54,113,1514,188,60,60,188,60,731,54,1514,252,60,539,54,1514,220,539,54,1514,60,571,60,54,1514]},"bins": {"c_to_s": [8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01867{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1328,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976085644885,"flow_src_last_pkt_time":1490976090198099,"flow_dst_last_pkt_time":1490976090039279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":8230,"flow_dst_tot_l4_payload_len":2302,"midstream":0,"thread_ts_usec":1490976090198099,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":288632.5,"max":1569527,"stddev":416979.2,"var":173871693824.0,"ent":3.7,"data": [325447,332868,307,247719,185,241306,284,257,23807,287,429915,65,1569527,1485936,352980,706902,73800,283,358821,365,256619,3724,240,956217,948562,95336,235551,1125,68,275387,23718]},"pktlen": {"min":54,"avg":385.1,"max":1514,"stddev":516.0,"var":266233.0,"ent":4.0,"data": [74,62,54,293,139,107,54,54,113,1514,188,60,60,188,60,731,54,1514,252,60,539,54,1514,220,539,54,1514,60,571,60,54,1514]},"bins": {"c_to_s": [8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1343,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":92,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1490976089239508,"flow_src_last_pkt_time":1490976090191085,"flow_dst_last_pkt_time":1490976090313083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313083,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45715,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}}
 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1345,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976090210793,"flow_dst_last_pkt_time":1490976090313160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313160,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}}
 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1346,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":91,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1490976089227335,"flow_src_last_pkt_time":1490976090192268,"flow_dst_last_pkt_time":1490976090313192,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313192,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45714,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}}
@@ -562,10 +562,10 @@
 01077{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091160874,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976091163513,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1449,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":2,"flow_src_last_pkt_time":1490976091048429,"flow_dst_last_pkt_time":1490976091217295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976091217295,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA0Sq8AACcG8u0250hYrBAq2AG7o117lZ8zZBSwSYAS\/\/89vAAAAgQFmAMDCAEEAgEB"}
 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":3,"flow_src_last_pkt_time":1490976091219669,"flow_dst_last_pkt_time":1490976091217295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976091219669,"pkt":"AMDKkaPvePiC0\/vCCABFAAAo0alAAEAGEv+sECrYNudIWKNdAbtkFLBJe5WfNFAQAVeEFQAA"}
-01872{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1452,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976088631582,"flow_src_last_pkt_time":1490976090996390,"flow_dst_last_pkt_time":1490976091223863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1093,"flow_src_tot_l4_payload_len":7259,"flow_dst_tot_l4_payload_len":2355,"midstream":0,"thread_ts_usec":1490976091223863,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":159906.1,"max":1191626,"stddev":282043.2,"var":79548358656.0,"ent":3.5,"data": [214415,219069,3661,1161828,1191626,138,43,75944,170423,352,118993,9705,7936,105518,89968,79074,135403,22399,255382,307,202303,1216,199697,125,147,204784,30,11403,221917,129,253154,0]},"pktlen": {"min":54,"avg":357.0,"max":1514,"stddev":486.7,"var":236894.1,"ent":4.0,"data": [74,62,54,293,293,60,139,107,54,60,192,54,113,1514,60,220,60,60,1147,1514,268,60,555,1514,284,176,60,60,539,1514,204,60]},"bins": {"c_to_s": [4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01870{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1452,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976088631582,"flow_src_last_pkt_time":1490976090996390,"flow_dst_last_pkt_time":1490976091223863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1093,"flow_src_tot_l4_payload_len":7259,"flow_dst_tot_l4_payload_len":2355,"midstream":0,"thread_ts_usec":1490976091223863,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":159906.1,"max":1191626,"stddev":282043.2,"var":79548358656.0,"ent":3.5,"data": [214415,219069,3661,1161828,1191626,138,43,75944,170423,352,118993,9705,7936,105518,89968,79074,135403,22399,255382,307,202303,1216,199697,125,147,204784,30,11403,221917,129,253154]},"pktlen": {"min":54,"avg":357.0,"max":1514,"stddev":486.7,"var":236894.1,"ent":4.0,"data": [74,62,54,293,293,60,139,107,54,60,192,54,113,1514,60,220,60,60,1147,1514,268,60,555,1514,284,176,60,60,539,1514,204,60]},"bins": {"c_to_s": [4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01133{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1454,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091345211,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1490976091345211,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01549{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1456,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091346214,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":1432,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1490976091346214,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}}}
-01872{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1486,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976092170541,"flow_dst_last_pkt_time":1490976092236982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":8342,"flow_dst_tot_l4_payload_len":1817,"midstream":0,"thread_ts_usec":1490976092236982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":69,"avg":209393.8,"max":1080313,"stddev":303367.1,"var":92031574016.0,"ent":3.7,"data": [1005698,1080313,210230,18680,169715,18028,104975,95,107187,277,11694,34788,143,215183,306,69,21708,195595,278,202797,728,212905,264,205823,10952,236264,754701,277,888900,405375,377261,0]},"pktlen": {"min":54,"avg":374.5,"max":1514,"stddev":516.5,"var":266795.3,"ent":3.9,"data": [74,74,62,54,293,62,54,139,107,54,54,113,1514,268,60,60,60,555,1514,220,60,715,1514,252,60,571,54,1514,220,60,1514,60]},"bins": {"c_to_s": [7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01870{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1486,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976092170541,"flow_dst_last_pkt_time":1490976092236982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":8342,"flow_dst_tot_l4_payload_len":1817,"midstream":0,"thread_ts_usec":1490976092236982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":69,"avg":209393.8,"max":1080313,"stddev":303367.1,"var":92031574016.0,"ent":3.7,"data": [1005698,1080313,210230,18680,169715,18028,104975,95,107187,277,11694,34788,143,215183,306,69,21708,195595,278,202797,728,212905,264,205823,10952,236264,754701,277,888900,405375,377261]},"pktlen": {"min":54,"avg":374.5,"max":1514,"stddev":516.5,"var":266795.3,"ent":3.9,"data": [74,74,62,54,293,62,54,139,107,54,54,113,1514,268,60,60,60,555,1514,220,60,715,1514,252,60,571,54,1514,220,60,1514,60]},"bins": {"c_to_s": [7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976093238253,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976093238253,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":1,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1490976093238253,"pkt":"AMDKkaPvePiC0\/vCCABFAABEWltAAEARM1SsECrYrBAqAaKnADUAMOTtwQkBAAABAAAAAAAAC2RwLWd3LW5hLWpzBmFtYXpvbgNjb20AAAEAAQ=="}
 01011{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976093238253,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976093238253,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -631,12 +631,12 @@
 01560{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976107479024,"flow_dst_last_pkt_time":1490976107577887,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107577887,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}}
 01560{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":104,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107365068,"flow_src_last_pkt_time":1490976107486585,"flow_dst_last_pkt_time":1490976107622246,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107622246,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40853,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}}
 01560{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976107514712,"flow_dst_last_pkt_time":1490976107625580,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107625580,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}}
-01846{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1748,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976108033189,"flow_dst_last_pkt_time":1490976108034115,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2227,"flow_dst_tot_l4_payload_len":13907,"midstream":0,"thread_ts_usec":1490976108034115,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":48,"avg":37270.9,"max":325585,"stddev":74532.9,"var":5555151872.0,"ent":3.0,"data": [55943,57350,1409,113314,370,112296,148,3166,65706,1386,70006,242,85334,246615,142,48,84,325585,285,3839,797,233,347,98,286,299,648,356,1116,6749,1201,0]},"pktlen": {"min":54,"avg":559.4,"max":1514,"stddev":489.8,"var":239933.9,"ent":4.4,"data": [74,62,54,265,1514,1289,54,54,380,60,113,1514,284,60,1035,603,603,603,54,54,1514,1514,755,1115,603,603,603,603,603,603,54,603]},"bins": {"c_to_s": [7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01844{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1748,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976108033189,"flow_dst_last_pkt_time":1490976108034115,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2227,"flow_dst_tot_l4_payload_len":13907,"midstream":0,"thread_ts_usec":1490976108034115,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":48,"avg":37270.9,"max":325585,"stddev":74532.9,"var":5555151872.0,"ent":3.0,"data": [55943,57350,1409,113314,370,112296,148,3166,65706,1386,70006,242,85334,246615,142,48,84,325585,285,3839,797,233,347,98,286,299,648,356,1116,6749,1201]},"pktlen": {"min":54,"avg":559.4,"max":1514,"stddev":489.8,"var":239933.9,"ent":4.4,"data": [74,62,54,265,1514,1289,54,54,380,60,113,1514,284,60,1035,603,603,603,54,54,1514,1514,755,1115,603,603,603,603,603,603,54,603]},"bins": {"c_to_s": [7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":2,"flow_src_last_pkt_time":1490976108360248,"flow_dst_last_pkt_time":1490976107366817,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976108360248,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8yY9AAEAGRVisECrYNu8d\/Z+XAbtod6HOAAAAAKAC\/\/8G+AAAAgQFtAQCCAoA9mikAAAAAAEDAwg="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1813,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":3,"flow_src_last_pkt_time":1490976108360248,"flow_dst_last_pkt_time":1490976108548394,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976108548394,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwt7hAAOcGsDo27x39rBAq2AG7n5d09wMmaHehz3ASH\/4UgAAAAgQFtAEDAwY="}
-01851{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1830,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976108753694,"flow_dst_last_pkt_time":1490976108749413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5131,"flow_dst_tot_l4_payload_len":7946,"midstream":0,"thread_ts_usec":1490976108753694,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":89402.5,"max":932653,"stddev":197976.2,"var":39194591232.0,"ent":3.0,"data": [109911,111642,1568,102004,158,101584,303,1866,56194,150,87519,19070,7646,147913,304065,639361,932653,32742,136,49,686,68,38,318,579,110731,248,1820,214,123,120,0]},"pktlen": {"min":54,"avg":464.1,"max":1514,"stddev":541.5,"var":293230.8,"ent":4.1,"data": [74,62,54,265,1514,1289,54,54,380,60,113,54,1514,268,60,1514,1514,60,1035,603,603,603,603,603,1483,91,54,54,54,54,54,54]},"bins": {"c_to_s": [11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01898{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":138,"avg":1357450.1,"max":9247029,"stddev":2197151.2,"var":4827473510400.0,"ent":3.5,"data": [992408,1100523,1068,243574,812,17238,3008616,6019841,9247029,138,67248,300,303,66691,669495,281,275185,528033,1079938,2835215,349963,114629,72089,219293,5051089,276,5193864,64990,174211,2275400,2411210,0]},"pktlen": {"min":54,"avg":439.8,"max":1514,"stddev":556.2,"var":309356.4,"ent":4.0,"data": [74,74,62,62,54,54,293,293,293,139,107,54,54,113,60,1514,1132,1514,1514,1514,60,1132,60,955,54,1514,236,60,859,54,54,60]},"bins": {"c_to_s": [9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":770379.9,"max":19096185,"stddev":3357549.8,"var":11273140961280.0,"ent":1.4,"data": [123577,127990,5388,470526,584,630,42,1232537,1463,5048,697,664,10016,973197,496,53,32,190922,73204,348,171867,142,116971,408177,413652,66693,140934,83299,138,166304,19096185,0]},"pktlen": {"min":54,"avg":281.5,"max":1514,"stddev":412.9,"var":170449.2,"ent":4.0,"data": [74,62,54,246,60,1514,1514,536,246,246,54,54,54,180,60,60,60,99,54,1514,290,60,212,118,292,247,246,60,60,272,54,356]},"bins": {"c_to_s": [7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0]}}
+01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1830,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976108753694,"flow_dst_last_pkt_time":1490976108749413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5131,"flow_dst_tot_l4_payload_len":7946,"midstream":0,"thread_ts_usec":1490976108753694,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":89402.5,"max":932653,"stddev":197976.2,"var":39194591232.0,"ent":3.0,"data": [109911,111642,1568,102004,158,101584,303,1866,56194,150,87519,19070,7646,147913,304065,639361,932653,32742,136,49,686,68,38,318,579,110731,248,1820,214,123,120]},"pktlen": {"min":54,"avg":464.1,"max":1514,"stddev":541.5,"var":293230.8,"ent":4.1,"data": [74,62,54,265,1514,1289,54,54,380,60,113,54,1514,268,60,1514,1514,60,1035,603,603,603,603,603,1483,91,54,54,54,54,54,54]},"bins": {"c_to_s": [11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01896{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":138,"avg":1357450.1,"max":9247029,"stddev":2197151.2,"var":4827473510400.0,"ent":3.5,"data": [992408,1100523,1068,243574,812,17238,3008616,6019841,9247029,138,67248,300,303,66691,669495,281,275185,528033,1079938,2835215,349963,114629,72089,219293,5051089,276,5193864,64990,174211,2275400,2411210]},"pktlen": {"min":54,"avg":439.8,"max":1514,"stddev":556.2,"var":309356.4,"ent":4.0,"data": [74,74,62,62,54,54,293,293,293,139,107,54,54,113,60,1514,1132,1514,1514,1514,60,1132,60,955,54,1514,236,60,859,54,54,60]},"bins": {"c_to_s": [9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":770379.9,"max":19096185,"stddev":3357549.8,"var":11273140961280.0,"ent":1.4,"data": [123577,127990,5388,470526,584,630,42,1232537,1463,5048,697,664,10016,973197,496,53,32,190922,73204,348,171867,142,116971,408177,413652,66693,140934,83299,138,166304,19096185]},"pktlen": {"min":54,"avg":281.5,"max":1514,"stddev":412.9,"var":170449.2,"ent":4.0,"data": [74,62,54,246,60,1514,1514,536,246,246,54,54,54,180,60,60,60,99,54,1514,290,60,212,118,292,247,246,60,60,272,54,356]},"bins": {"c_to_s": [7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0]}}
 01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","tls": {"version":"TLSv1.2","server_names":"dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com","fingerprint":"27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C"}}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976114879774,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976114879774,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":20922,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_packet_id":1,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1490976114879774,"pkt":"AMDKkaPvePiC0\/vCCABFAABBWl1AAEARM1WsECrYrBAqAVG6ADUALQ0pp4sBAAABAAAAAAAACHBpdGFuZ3VpBmFtYXpvbgNjb20AAAEAAQ=="}
@@ -739,14 +739,14 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2055,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_packet_id":2,"flow_src_last_pkt_time":1490976134149854,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976134237090,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPIGPkc0VD84rBAq2ABQyxaJEqCkMupghaAScSCurAAAAgQFtAQCCAps+nR5APZytgEDAwg="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2056,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_packet_id":3,"flow_src_last_pkt_time":1490976134238394,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976134238394,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0EjNAAEAG3hysECrYNFQ\/OMsWAFAy6mCFiRKgpYAQAVdNOgAAAQEICgD2cr9s+nR5"}
 01314{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2057,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976134149854,"flow_src_last_pkt_time":1490976134239068,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976134239068,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51990,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ecx.images-amazon.com","http": {"url":"ecx.images-amazon.com\/images\/I\/612xlaOI2NL._SL210_QL95_.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}}
-01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":120,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976134141916,"flow_src_last_pkt_time":1490976134949644,"flow_dst_last_pkt_time":1490976134943908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":15770,"midstream":0,"thread_ts_usec":1490976134949644,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51986,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":121,"avg":51926.5,"max":295198,"stddev":97638.1,"var":9533208576.0,"ent":3.0,"data": [57953,60331,1632,154699,385,386,415,483,524,207,360,156722,299,4146,127,3380,248,131,172,143,126,121,6987,268261,295198,18253,286273,480,356,286588,4334,0]},"pktlen": {"min":66,"avg":611.0,"max":1514,"stddev":635.8,"var":404189.9,"ent":4.2,"data": [74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,66,66,1514,441,66,66,66,66,66,66,66,613,613,441,78,606,1514,1514,66,66]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":120,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976134141916,"flow_src_last_pkt_time":1490976134949644,"flow_dst_last_pkt_time":1490976134943908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":15770,"midstream":0,"thread_ts_usec":1490976134949644,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51986,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":121,"avg":51926.5,"max":295198,"stddev":97638.1,"var":9533208576.0,"ent":3.0,"data": [57953,60331,1632,154699,385,386,415,483,524,207,360,156722,299,4146,127,3380,248,131,172,143,126,121,6987,268261,295198,18253,286273,480,356,286588,4334]},"pktlen": {"min":66,"avg":611.0,"max":1514,"stddev":635.8,"var":404189.9,"ent":4.2,"data": [74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,66,66,1514,441,66,66,66,66,66,66,66,613,613,441,78,606,1514,1514,66,66]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2236,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976136930982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976136930982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2236,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":1,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976136930982,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976136930982,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8bqFAAEAGoEasECrYNu8d\/Z+nAbuZbx1qAAAAAKAC\/\/9PLQAAAgQFtAQCCAoA9nPLAAAAAAEDAwg="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2237,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":2,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976137042055,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwrQVAAOcGuu027x39rBAq2AG7n6dEArKimW8da3ASH\/7pVAAAAgQFtAEDAwY="}
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2238,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":3,"flow_src_last_pkt_time":1490976137043334,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976137043334,"pkt":"AMDKkaPvePiC0\/vCCABFAAAobqJAAEAGoFmsECrYNu8d\/Z+nAbuZbx1rRAKyo1AQAVczxgAA"}
 01069{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2239,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976137044165,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976137044165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01234{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2241,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976137044165,"flow_dst_last_pkt_time":1490976137222092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976137222092,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}}
-01855{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2267,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976138976244,"flow_dst_last_pkt_time":1490976139259019,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6666,"flow_dst_tot_l4_payload_len":5757,"midstream":0,"thread_ts_usec":1490976139259019,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":141074.2,"max":1107068,"stddev":256640.3,"var":65864265728.0,"ent":3.2,"data": [111073,112352,831,179894,143,45,179940,2913,265,3255,516,135136,162,170164,502171,1107068,16816,231,180,41,28,24,706579,352,9657,355942,325,629177,147816,149,54,0]},"pktlen": {"min":54,"avg":444.0,"max":1514,"stddev":555.4,"var":308431.6,"ent":4.0,"data": [74,62,54,297,60,139,107,54,54,113,1514,300,60,60,1514,1514,60,1514,135,1514,167,443,91,54,54,54,1514,332,60,1035,603,603]},"bins": {"c_to_s": [7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01853{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2267,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976138976244,"flow_dst_last_pkt_time":1490976139259019,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6666,"flow_dst_tot_l4_payload_len":5757,"midstream":0,"thread_ts_usec":1490976139259019,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":141074.2,"max":1107068,"stddev":256640.3,"var":65864265728.0,"ent":3.2,"data": [111073,112352,831,179894,143,45,179940,2913,265,3255,516,135136,162,170164,502171,1107068,16816,231,180,41,28,24,706579,352,9657,355942,325,629177,147816,149,54]},"pktlen": {"min":54,"avg":444.0,"max":1514,"stddev":555.4,"var":308431.6,"ent":4.0,"data": [74,62,54,297,60,139,107,54,54,113,1514,300,60,60,1514,1514,60,1514,135,1514,167,443,91,54,54,54,1514,332,60,1035,603,603]},"bins": {"c_to_s": [7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2274,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976139642766,"flow_dst_last_pkt_time":1490976139642766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139642766,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2274,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_packet_id":1,"flow_src_last_pkt_time":1490976139642766,"flow_dst_last_pkt_time":1490976139642766,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976139642766,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8ooBAAEAGTcesECrYNFQ\/OMsYAFAytNZaAAAAAKAC\/\/+zQgAAAgQFtAQCCAoA9nTaAAAAAAEDAwg="}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2275,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":127,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976139643137,"flow_src_last_pkt_time":1490976139643137,"flow_dst_last_pkt_time":1490976139643137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139643137,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51993,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -777,7 +777,7 @@
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2295,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_packet_id":2,"flow_src_last_pkt_time":1490976139643974,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976139711656,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPIGPkc0VD84rBAq2ABQyx1XQZuRlNdGa6AScSCQFAAAAgQFtAQCCAps+n\/1APZ03AEDAwg="}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2296,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_packet_id":3,"flow_src_last_pkt_time":1490976139713700,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976139713700,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0MrdAAEAGvZisECrYNFQ\/OMsdAFCU10ZrV0GbkoAQAVcupAAAAQEICgD2dONs+n\/1"}
 01314{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2297,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976139643974,"flow_src_last_pkt_time":1490976139714237,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139714237,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51997,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ecx.images-amazon.com","http": {"url":"ecx.images-amazon.com\/images\/I\/61Tfp7ZVcoL._SL210_QL95_.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}}
-01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":129,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976139643559,"flow_src_last_pkt_time":1490976140004854,"flow_dst_last_pkt_time":1490976140002371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1094,"flow_dst_tot_l4_payload_len":21002,"midstream":0,"thread_ts_usec":1490976140004854,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51995,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":45,"avg":23229.3,"max":179149,"stddev":43867.1,"var":1924322304.0,"ent":3.1,"data": [31287,34141,578,113361,46407,49,49,50,45,46,11194,1598,7176,179149,121,126,120,120,142,3369,257,407,4520,99192,277,120761,46881,156,255,789,17484,0]},"pktlen": {"min":66,"avg":757.4,"max":1514,"stddev":681.3,"var":464196.8,"ent":4.3,"data": [74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,1237,1237,66,66,66,66,66,66,66,66,78,613,1514,1514,66,1514,1350,1514,1514,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":129,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976139643559,"flow_src_last_pkt_time":1490976140004854,"flow_dst_last_pkt_time":1490976140002371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1094,"flow_dst_tot_l4_payload_len":21002,"midstream":0,"thread_ts_usec":1490976140004854,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51995,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":45,"avg":23229.3,"max":179149,"stddev":43867.1,"var":1924322304.0,"ent":3.1,"data": [31287,34141,578,113361,46407,49,49,50,45,46,11194,1598,7176,179149,121,126,120,120,142,3369,257,407,4520,99192,277,120761,46881,156,255,789,17484]},"pktlen": {"min":66,"avg":757.4,"max":1514,"stddev":681.3,"var":464196.8,"ent":4.3,"data": [74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,1237,1237,66,66,66,66,66,66,66,66,78,613,1514,1514,66,1514,1350,1514,1514,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976041150466,"flow_src_last_pkt_time":1490976041150466,"flow_dst_last_pkt_time":1490976041151487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":54886,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00878{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976027958387,"flow_src_last_pkt_time":1490976030758514,"flow_dst_last_pkt_time":1490976027958387,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976031581495,"flow_src_last_pkt_time":1490976031581495,"flow_dst_last_pkt_time":1490976031687199,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":34,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":34,"flow_dst_max_l4_payload_len":73,"flow_src_tot_l4_payload_len":34,"flow_dst_tot_l4_payload_len":73,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41030,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AmazonAlexa","proto_id":"5.110","encrypted":0,"breed":"Acceptable","category_id":32,"category":"VirtAssistant"}}
@@ -794,7 +794,7 @@
 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976029184743,"flow_src_last_pkt_time":1490976029184743,"flow_dst_last_pkt_time":1490976029244910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":161,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":161,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":48155,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976030681470,"flow_src_last_pkt_time":1490976030681470,"flow_dst_last_pkt_time":1490976030890027,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":7358,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976029669574,"flow_src_last_pkt_time":1490976029669574,"flow_dst_last_pkt_time":1490976029753315,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":84,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":19967,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2440,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976140230625,"flow_dst_last_pkt_time":1490976140359077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":18414,"midstream":0,"thread_ts_usec":1490976140359077,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":42070.0,"max":510931,"stddev":110064.9,"var":12114281472.0,"ent":2.5,"data": [24956,26298,431,110222,135,214,308,354,363,1114,487,409,385,114928,244,126,125,3452,97,26252,252,149,120,119,152,4719,62468,45133,368811,510931,416,0]},"pktlen": {"min":66,"avg":693.6,"max":1514,"stddev":671.9,"var":451493.0,"ent":4.2,"data": [74,74,66,613,66,66,1514,1514,1514,1514,1514,1514,1514,1514,66,66,66,66,1514,1309,66,66,66,66,66,66,613,1309,78,613,1514,1514]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2440,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976140230625,"flow_dst_last_pkt_time":1490976140359077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":18414,"midstream":0,"thread_ts_usec":1490976140359077,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":42070.0,"max":510931,"stddev":110064.9,"var":12114281472.0,"ent":2.5,"data": [24956,26298,431,110222,135,214,308,354,363,1114,487,409,385,114928,244,126,125,3452,97,26252,252,149,120,119,152,4719,62468,45133,368811,510931,416]},"pktlen": {"min":66,"avg":693.6,"max":1514,"stddev":671.9,"var":451493.0,"ent":4.2,"data": [74,74,66,613,66,66,1514,1514,1514,1514,1514,1514,1514,1514,66,66,66,66,1514,1309,66,66,66,66,66,66,613,1309,78,613,1514,1514]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2480,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976142629437,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142629437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976142629437,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40878,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2480,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_packet_id":1,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142629437,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976142629437,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Si5AAEAGxLmsECrYNu8d\/Z+uAbuBOjwrAAAAAKAC\/\/9GYAAAAgQFtAQCCAoA9nYFAAAAAAEDAwg="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2481,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_packet_id":2,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142691841,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976142691841,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw0iJAAOcGldA27x39rBAq2AG7n66gUyr3gTo8LHASH\/4OHAAAAgQFtAEDAwY="}
@@ -809,7 +809,7 @@
 01230{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":133,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976150029230,"flow_src_last_pkt_time":1490976150127984,"flow_dst_last_pkt_time":1490976150196755,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976150196755,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45750,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}}
 00864{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022741105,"flow_src_last_pkt_time":1490976022741164,"flow_dst_last_pkt_time":1490976022741105,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":56,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::16","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00873{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022731312,"flow_src_last_pkt_time":1490976022731374,"flow_dst_last_pkt_time":1490976022731312,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ffd3:fbc2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01609{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":3968339.8,"max":120002762,"stddev":21185284.0,"var":448816230694912.0,"ent":0.3,"data": [77142,79508,13198,60889,401,551,135,48584,1797,3570,177758,227426,44512,20026,267154,445550,122636,142,45,33,282451,8709,270484,1626,407007,145,164075,140,290013,120002762,69,0]},"pktlen": {"min":66,"avg":450.5,"max":1514,"stddev":570.0,"var":324877.8,"ent":4.0,"data": [74,74,66,287,66,1514,1514,640,66,66,66,192,308,66,1430,1430,66,1514,314,110,100,66,66,1514,1017,66,66,1329,100,66,97,66]},"bins": {"c_to_s": [9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0],"s_to_c": [7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1]}}
+01607{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":3968339.8,"max":120002762,"stddev":21185284.0,"var":448816230694912.0,"ent":0.3,"data": [77142,79508,13198,60889,401,551,135,48584,1797,3570,177758,227426,44512,20026,267154,445550,122636,142,45,33,282451,8709,270484,1626,407007,145,164075,140,290013,120002762,69]},"pktlen": {"min":66,"avg":450.5,"max":1514,"stddev":570.0,"var":324877.8,"ent":4.0,"data": [74,74,66,287,66,1514,1514,640,66,66,66,192,308,66,1430,1430,66,1514,314,110,100,66,66,1514,1017,66,66,1329,100,66,97,66]},"bins": {"c_to_s": [9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0],"s_to_c": [7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1]}}
 01715{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2531,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976158680003,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976158680003,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45751,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2531,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_packet_id":1,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976158680003,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8\/ohAAEAGSGasECrYNF7ohrK3Abt2joLDAAAAAKAC\/\/8pLAAAAgQFtAQCCAoA9nxLAAAAAAEDAwg="}
@@ -937,7 +937,7 @@
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187511761,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":1,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976187511761,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8IbxAAEAG7nasECrYNu8cspdlAbtMyaYzAAAAAKAC\/\/8I0wAAAgQFtAQCCAoA9oePAAAAAAEDAwg="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2739,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":2,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976187571606,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw3K9AAOcGjI427xyyrBAq2AG7l2UCDLyqTMmmNHASH\/7urAAAAgQFtAEDAwY="}
-01617{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":112,"avg":664331.6,"max":8001087,"stddev":1905246.8,"var":3629965115392.0,"ent":2.5,"data": [133822,140403,3233,141605,1309,112,137230,287,136,2714,82197,163,95708,410,359058,405413,633638,688626,100774,373131,50752,202632,7767064,1576,8001087,353783,410110,314766,108314,179,84048,0]},"pktlen": {"min":54,"avg":438.7,"max":1514,"stddev":584.7,"var":341856.6,"ent":3.9,"data": [74,62,54,261,1514,1514,399,54,54,54,380,60,113,1514,204,60,1514,113,54,1514,60,683,54,1514,300,60,54,60,1514,60,60,54]},"bins": {"c_to_s": [9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0]}}
+01615{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":112,"avg":664331.6,"max":8001087,"stddev":1905246.8,"var":3629965115392.0,"ent":2.5,"data": [133822,140403,3233,141605,1309,112,137230,287,136,2714,82197,163,95708,410,359058,405413,633638,688626,100774,373131,50752,202632,7767064,1576,8001087,353783,410110,314766,108314,179,84048]},"pktlen": {"min":54,"avg":438.7,"max":1514,"stddev":584.7,"var":341856.6,"ent":3.9,"data": [74,62,54,261,1514,1514,399,54,54,54,380,60,113,1514,204,60,1514,113,54,1514,60,683,54,1514,300,60,54,60,1514,60,60,54]},"bins": {"c_to_s": [9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0]}}
 01845{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}}}
 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2742,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":3,"flow_src_last_pkt_time":1490976187575232,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976187575232,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoIb1AAEAG7omsECrYNu8cspdlAbtMyaY0Agy8q1AQAVc5HgAA"}
 01159{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2743,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187577439,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187577439,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
@@ -966,7 +966,7 @@
 01195{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2820,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195670657,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195724734,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01263{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2824,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195762060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1490976195762060,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}}}
 02327{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2826,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195763002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":3987,"midstream":0,"thread_ts_usec":1490976195763002,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","fingerprint":"54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42"}}}
-01579{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":22200.1,"max":105973,"stddev":31062.3,"var":964868608.0,"ent":3.6,"data": [42665,43661,659,44970,3982,526,602,251,50626,787,253,1113,7308,12716,306,65597,42616,4166,48889,363,25248,76421,105973,250,551,581,305,49,101959,2918,1893,0]},"pktlen": {"min":66,"avg":539.8,"max":1514,"stddev":600.4,"var":360465.6,"ent":4.1,"data": [74,74,66,268,66,1514,1514,1514,833,66,66,66,66,192,1514,781,78,192,1514,78,320,66,66,1514,1514,1514,697,608,143,66,163,66]},"bins": {"c_to_s": [9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0]}}
+01577{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":22200.1,"max":105973,"stddev":31062.3,"var":964868608.0,"ent":3.6,"data": [42665,43661,659,44970,3982,526,602,251,50626,787,253,1113,7308,12716,306,65597,42616,4166,48889,363,25248,76421,105973,250,551,581,305,49,101959,2918,1893]},"pktlen": {"min":66,"avg":539.8,"max":1514,"stddev":600.4,"var":360465.6,"ent":4.1,"data": [74,74,66,268,66,1514,1514,1514,833,66,66,66,66,192,1514,781,78,192,1514,78,320,66,66,1514,1514,1514,697,608,143,66,163,66]},"bins": {"c_to_s": [9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0]}}
 01603{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976195921499,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":49,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195921499,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packet_id":1,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1490976195921499,"pkt":"AMDKkaPvePiC0\/vCCABFAABNWmZAAEARM0CsECrYrBAqARIEADUAOVP\/iiYBAAABAAAAAAAACWltYWdlcy1uYRFzc2wtaW1hZ2VzLWFtYXpvbgNjb20AAAEAAQ=="}
@@ -1027,13 +1027,13 @@
 01278{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196257995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196261315,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1.2","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01338{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2950,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196300973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1490976196300973,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1.2","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01810{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2952,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196301692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":3462,"midstream":0,"thread_ts_usec":1490976196301692,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}}
-01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":54,"avg":32922.3,"max":261773,"stddev":58822.9,"var":3460134400.0,"ent":3.5,"data": [16682,17944,1581,27330,5292,477,511,279,32463,293,12932,291,133,38969,52766,61918,541,272,54,35117,659,5109,216850,261773,199,39363,7450,74173,66612,42132,427,0]},"pktlen": {"min":66,"avg":631.0,"max":1514,"stddev":624.9,"var":390532.6,"ent":4.2,"data": [74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1343,1514,1514,770,100,66,66,1308,1308,862,100,66,1319,100,78,1514,1514]},"bins": {"c_to_s": [10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0],"s_to_c": [2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1]}}
+01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":54,"avg":32922.3,"max":261773,"stddev":58822.9,"var":3460134400.0,"ent":3.5,"data": [16682,17944,1581,27330,5292,477,511,279,32463,293,12932,291,133,38969,52766,61918,541,272,54,35117,659,5109,216850,261773,199,39363,7450,74173,66612,42132,427]},"pktlen": {"min":66,"avg":631.0,"max":1514,"stddev":624.9,"var":390532.6,"ent":4.2,"data": [74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1343,1514,1514,770,100,66,66,1308,1308,862,100,66,1319,100,78,1514,1514]},"bins": {"c_to_s": [10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0],"s_to_c": [2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1]}}
 01562{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}}
-01986{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196651032,"flow_dst_last_pkt_time":1490976196769763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":666,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1652,"flow_dst_tot_l4_payload_len":16510,"midstream":0,"thread_ts_usec":1490976196769763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":31380.5,"max":241435,"stddev":57224.6,"var":3274655232.0,"ent":3.4,"data": [33996,35089,2227,37919,5059,483,236,42863,280,131,30800,68825,38426,227149,241435,50068,58385,55537,3754,2000,4418,1636,659,7796,67,79,9049,341,3084,756,10250,0]},"pktlen": {"min":66,"avg":634.4,"max":1514,"stddev":578.4,"var":334504.2,"ent":4.4,"data": [74,74,66,260,66,1514,1514,632,66,66,66,192,117,732,732,117,78,66,1110,441,270,829,919,455,1514,191,571,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196651032,"flow_dst_last_pkt_time":1490976196769763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":666,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1652,"flow_dst_tot_l4_payload_len":16510,"midstream":0,"thread_ts_usec":1490976196769763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":31380.5,"max":241435,"stddev":57224.6,"var":3274655232.0,"ent":3.4,"data": [33996,35089,2227,37919,5059,483,236,42863,280,131,30800,68825,38426,227149,241435,50068,58385,55537,3754,2000,4418,1636,659,7796,67,79,9049,341,3084,756,10250]},"pktlen": {"min":66,"avg":634.4,"max":1514,"stddev":578.4,"var":334504.2,"ent":4.4,"data": [74,74,66,260,66,1514,1514,632,66,66,66,192,117,732,732,117,78,66,1110,441,270,829,919,455,1514,191,571,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1490976196840676,"pkt":"AMDKkaPvePiC0\/vCCABFAAA\/WmdAAEARM02sECrYrBAqAQqTADUAK8ZJ2BYBAAABAAAAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAE="}
 01006{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":50,"avg":57253.4,"max":264056,"stddev":85984.0,"var":7393244160.0,"ent":3.6,"data": [22841,23998,943,22793,6583,564,615,276,39690,124,146,157,6771,37572,46160,226745,213104,3861,222252,264056,50,55344,103406,128,10396,183950,242536,953,71,38628,142,0]},"pktlen": {"min":66,"avg":546.2,"max":1514,"stddev":595.2,"var":354289.1,"ent":4.2,"data": [74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1351,324,78,1351,1351,944,100,100,66,66,78,1336,1514,1514,522,66,66]},"bins": {"c_to_s": [12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0],"s_to_c": [2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0]}}
+01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":50,"avg":57253.4,"max":264056,"stddev":85984.0,"var":7393244160.0,"ent":3.6,"data": [22841,23998,943,22793,6583,564,615,276,39690,124,146,157,6771,37572,46160,226745,213104,3861,222252,264056,50,55344,103406,128,10396,183950,242536,953,71,38628,142]},"pktlen": {"min":66,"avg":546.2,"max":1514,"stddev":595.2,"var":354289.1,"ent":4.2,"data": [74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1351,324,78,1351,1351,944,100,100,66,66,78,1336,1514,1514,522,66,66]},"bins": {"c_to_s": [12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0],"s_to_c": [2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0]}}
 01561{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976196938799,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP7ApAAEARoZmsECoBrBAq2AA1CpMAO2jR2BaBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAA7AARIFc55"}
 01022{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976196938799,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.121"}}}
@@ -1044,7 +1044,7 @@
 01063{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3355,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976196942963,"flow_src_last_pkt_time":1490976197026574,"flow_dst_last_pkt_time":1490976197023104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":205,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197026574,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3357,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976197297649,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197297649,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3357,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":1,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976197297649,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8At9AAEAGSmasECrYSBXOebn2AbvarIm+AAAAAKAC\/\/+uEwAAAgQFtAQCCAoA9othAAAAAAEDAwg="}
-01608{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":614473.9,"max":7470598,"stddev":1477715.5,"var":2183643136000.0,"ent":2.8,"data": [168457,171158,1511,108893,4406,1671,697,112679,290,4146,167,6217,127,10389,13091,1079,255,290409,42,32,60,299358,743,529311,1065924,2114234,3665356,7470598,595200,595070,1817122,0]},"pktlen": {"min":54,"avg":540.2,"max":1514,"stddev":637.5,"var":406420.1,"ent":4.0,"data": [74,62,54,281,60,60,1514,1514,54,54,1514,669,54,54,180,1514,1438,374,60,60,105,60,54,1438,1438,1438,1438,54,60,1438,60,60]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1]}}
+01606{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":614473.9,"max":7470598,"stddev":1477715.5,"var":2183643136000.0,"ent":2.8,"data": [168457,171158,1511,108893,4406,1671,697,112679,290,4146,167,6217,127,10389,13091,1079,255,290409,42,32,60,299358,743,529311,1065924,2114234,3665356,7470598,595200,595070,1817122]},"pktlen": {"min":54,"avg":540.2,"max":1514,"stddev":637.5,"var":406420.1,"ent":4.0,"data": [74,62,54,281,60,60,1514,1514,54,54,1514,669,54,54,180,1514,1438,374,60,60,105,60,54,1438,1438,1438,1438,54,60,1438,60,60]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1]}}
 01509{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3361,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976197355099,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw5DlAAOcGwhZIFc55rBAq2AG7ufYaDpo72qyJv3ASH\/6iLAAAAgQFtAEDAwY="}
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3362,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1490976197356307,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976197356307,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoAuBAAEAGSnmsECrYSBXOebn2AbvarIm\/Gg6aPFAQAVfsnQAA"}
@@ -1190,8 +1190,8 @@
 ~~ total active/idle flows...: 160/160
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7091283 bytes
-~~ total memory freed........: 7091283 bytes
+~~ total memory allocated....: 7090643 bytes
+~~ total memory freed........: 7090643 bytes
 ~~ total allocations/frees...: 127335/127335
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 192 chars
diff --git a/test/results/alicloud.pcap.out b/test/results/alicloud.pcap.out
index 4465fc72d..bad2a5f0c 100644
--- a/test/results/alicloud.pcap.out
+++ b/test/results/alicloud.pcap.out
@@ -111,8 +111,8 @@
 ~~ total active/idle flows...: 15/15
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6095682 bytes
-~~ total memory freed........: 6095682 bytes
+~~ total memory allocated....: 6095622 bytes
+~~ total memory freed........: 6095622 bytes
 ~~ total allocations/frees...: 121867/121867
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/among_us.pcap.out b/test/results/among_us.pcap.out
index 92eff9eae..c60817442 100644
--- a/test/results/among_us.pcap.out
+++ b/test/results/among_us.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/amqp.pcap.out b/test/results/amqp.pcap.out
index 80cbb1fbd..ec9636bff 100644
--- a/test/results/amqp.pcap.out
+++ b/test/results/amqp.pcap.out
@@ -15,7 +15,7 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1490904169152163,"flow_dst_last_pkt_time":1490904169152192,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490904169152192,"pkt":"AAAAAAAAAAAAAAAACABFAAA01sFAAEAGZQB\/AAEBfwAAARYorK7a34rgiptOLIAQDAj\/KAAAAQEICgC+2LgAvti4"}
 00715{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1490904169152378,"flow_dst_last_pkt_time":1490904169152192,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":206,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":206,"pkt_l4_len":172,"thread_ts_usec":1490904169152378,"pkt":"AAAAAAAAAAAAAAAACABFAADAPzxAAEAG+\/l\/AAABfwABAayuFiiKm04s2t+K4IAYAV7\/tAAAAQEICgC+2LgAvti4AgABAAAAhAA8AAAAAAAAAAAA7v4AHmFwcGxpY2F0aW9uL3gtcHl0aG9uLXNlcmlhbGl6ZQZiaW5hcnkAAAAAAgAkZjMzYWFlMjctNjlmNC00ZjQ4LWIwYmMtMmVmZGM0NTVjMTI4JGFiZjI3YmI1LTAxNDktM2RiZC1hMmRiLWQzNTcyYzMwOTc5MM4="}
 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"amqp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490904166119482,"flow_src_last_pkt_time":1490904169152864,"flow_dst_last_pkt_time":1490904169156013,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":425,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":448,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":1321,"flow_dst_tot_l4_payload_len":21,"midstream":1,"thread_ts_usec":1490904169156013,"l3_proto":"ip4","src_ip":"127.0.1.1","dst_ip":"127.0.0.1","src_port":5672,"dst_port":44204,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
-01678{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904169595775,"flow_dst_last_pkt_time":1490904169595788,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904169595788,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":224314.8,"max":2001684,"stddev":536643.9,"var":287986745344.0,"ent":2.4,"data": [31,198,177,103,103,2001663,2001684,188,167,98,97,1032593,1032598,113,109,94,93,11037,11041,111,108,94,93,17674,17676,105,104,99,99,412703,412706,0]},"pktlen": {"min":66,"avg":132.0,"max":395,"stddev":99.5,"var":9895.7,"ent":4.7,"data": [107,66,162,66,369,66,107,66,162,66,369,66,104,66,162,66,395,66,103,66,162,66,271,66,105,66,162,66,325,66,104,66]},"bins": {"c_to_s": [0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
+01676{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904169595775,"flow_dst_last_pkt_time":1490904169595788,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904169595788,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":224314.8,"max":2001684,"stddev":536643.9,"var":287986745344.0,"ent":2.4,"data": [31,198,177,103,103,2001663,2001684,188,167,98,97,1032593,1032598,113,109,94,93,11037,11041,111,108,94,93,17674,17676,105,104,99,99,412703,412706]},"pktlen": {"min":66,"avg":132.0,"max":395,"stddev":99.5,"var":9895.7,"ent":4.7,"data": [107,66,162,66,369,66,107,66,162,66,369,66,104,66,162,66,395,66,103,66,162,66,271,66,105,66,162,66,325,66,104,66]},"bins": {"c_to_s": [0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00896{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":9,"flow_first_seen":1490904166119482,"flow_src_last_pkt_time":1490904170242659,"flow_dst_last_pkt_time":1490904170206101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":448,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":3469,"flow_dst_tot_l4_payload_len":105,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.1.1","dst_ip":"127.0.0.1","src_port":5672,"dst_port":44204,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00895{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":54,"flow_dst_packets_processed":54,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904170243601,"flow_dst_last_pkt_time":1490904170243630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":7295,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00895{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":15,"flow_first_seen":1490904169152163,"flow_src_last_pkt_time":1490904170195756,"flow_dst_last_pkt_time":1490904170195765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2085,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44206,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
@@ -28,10 +28,10 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049685 bytes
-~~ total memory freed........: 6049685 bytes
+~~ total memory allocated....: 6049673 bytes
+~~ total memory freed........: 6049673 bytes
 ~~ total allocations/frees...: 121670/121670
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1683 chars
-~~ json string avg len.......: 1077 chars
+~~ json string max len.......: 1681 chars
+~~ json string avg len.......: 1076 chars
diff --git a/test/results/android.pcap.out b/test/results/android.pcap.out
index 01f443f0b..1b2fcb2f9 100644
--- a/test/results/android.pcap.out
+++ b/test/results/android.pcap.out
@@ -297,7 +297,7 @@
 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871881494,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1582454871881494,"pkt":"xiwDYGpkTGr2n\/YnCABFAABErDBAAEARCRfAqAIQwKgCAZtQADUAMNjjuKUBAAABAAAAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAQ=="}
 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454871881494,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871881494,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454871881494,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39760,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"android.googleapis.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 01117{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":408,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1582454871829800,"flow_src_last_pkt_time":1582454871890562,"flow_dst_last_pkt_time":1582454871867294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454871890562,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DataSaver","proto_id":"91.46","encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"proxy.googlezip.net","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01718{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":431,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1582454871152402,"flow_src_last_pkt_time":1582454871906464,"flow_dst_last_pkt_time":1582454871901421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":819,"flow_dst_tot_l4_payload_len":10828,"midstream":0,"thread_ts_usec":1582454871906464,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":48486.5,"max":404574,"stddev":104241.1,"var":10866214912.0,"ent":3.0,"data": [13673,15022,32725,47474,16568,3,34518,282,386517,404574,19668,197623,221096,19209,15019,27735,41804,1657,22,36,1002,1575,133,18,9,1204,14,1169,2703,19,10,0]},"pktlen": {"min":66,"avg":430.5,"max":1484,"stddev":552.7,"var":305506.2,"ent":4.0,"data": [74,74,66,246,66,1484,1202,66,66,159,358,66,578,66,100,66,655,66,1484,1484,1421,1484,66,1484,396,102,66,66,66,66,66,66]},"bins": {"c_to_s": [13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":431,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1582454871152402,"flow_src_last_pkt_time":1582454871906464,"flow_dst_last_pkt_time":1582454871901421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":819,"flow_dst_tot_l4_payload_len":10828,"midstream":0,"thread_ts_usec":1582454871906464,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":48486.5,"max":404574,"stddev":104241.1,"var":10866214912.0,"ent":3.0,"data": [13673,15022,32725,47474,16568,3,34518,282,386517,404574,19668,197623,221096,19209,15019,27735,41804,1657,22,36,1002,1575,133,18,9,1204,14,1169,2703,19,10]},"pktlen": {"min":66,"avg":430.5,"max":1484,"stddev":552.7,"var":305506.2,"ent":4.0,"data": [74,74,66,246,66,1484,1202,66,66,159,358,66,578,66,100,66,655,66,1484,1484,1421,1484,66,1484,396,102,66,66,66,66,66,66]},"bins": {"c_to_s": [13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01163{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":434,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454871839297,"flow_src_last_pkt_time":1582454871880409,"flow_dst_last_pkt_time":1582454871911317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1582454871911317,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","tls": {"version":"TLSv1.3","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01166{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":437,"source":"android.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454871814833,"flow_src_last_pkt_time":1582454871879681,"flow_dst_last_pkt_time":1582454871913572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":594,"flow_dst_max_l4_payload_len":212,"flow_src_tot_l4_payload_len":594,"flow_dst_tot_l4_payload_len":212,"midstream":0,"thread_ts_usec":1582454871913572,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51944,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DataSaver","proto_id":"91.46","encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"datasaver.googleapis.com","tls": {"version":"TLSv1.3","ja3":"554719594ba90b02ae410c297c6e50ad","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871920611,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"thread_ts_usec":1582454871920611,"pkt":"TGr2n\/YnxiwDYGpkCABFAABUFXQAAEAR38PAqAIBwKgCEAA1m1AAQNQ0uKWBgAABAAEAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAcAMAAEAAQAAARcABKzZFgo="}
@@ -392,8 +392,8 @@
 ~~ total active/idle flows...: 63/63
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6392603 bytes
-~~ total memory freed........: 6392603 bytes
+~~ total memory allocated....: 6392351 bytes
+~~ total memory freed........: 6392351 bytes
 ~~ total allocations/frees...: 122858/122858
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/anyconnect-vpn.pcap.out b/test/results/anyconnect-vpn.pcap.out
index a8ee418bf..7a3cd7985 100644
--- a/test/results/anyconnect-vpn.pcap.out
+++ b/test/results/anyconnect-vpn.pcap.out
@@ -66,7 +66,7 @@
 01148{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245727730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687245728221,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 01302{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245772680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687245772680,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","alpn":"http\/1.1"}}}
 01688{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245813667,"flow_dst_last_pkt_time":1569687245851826,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687245851826,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}}
-01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22175.9,"max":71520,"stddev":21576.5,"var":465545472.0,"ent":4.0,"data": [39490,39550,431,43733,1217,44517,40926,4,40928,1,38216,8,38254,1,33217,1,71520,5,38273,6102,35094,41225,217,42300,2869,5,1,44938,58,0,0,0]},"pktlen": {"min":66,"avg":504.7,"max":1514,"stddev":597.2,"var":356597.6,"ent":4.0,"data": [78,70,66,233,66,1514,66,1514,1514,66,66,1514,1181,66,66,1514,1514,1333,66,66,677,66,141,66,1175,66,359,711,119,66,66,66]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0]}}
+01545{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22175.9,"max":71520,"stddev":21576.5,"var":465545472.0,"ent":4.0,"data": [39490,39550,431,43733,1217,44517,40926,4,40928,1,38216,8,38254,1,33217,1,71520,5,38273,6102,35094,41225,217,42300,2869,5,1,44938,58]},"pktlen": {"min":66,"avg":504.7,"max":1514,"stddev":597.2,"var":356597.6,"ent":4.0,"data": [78,70,66,233,66,1514,66,1514,1514,66,66,1514,1181,66,66,1514,1514,1333,66,66,677,66,141,66,1175,66,359,711,119,66,66,66]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0]}}
 01692{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687246891499,"flow_src_last_pkt_time":1569687246891499,"flow_dst_last_pkt_time":1569687246891499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687246891499,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1569687246891499,"flow_dst_last_pkt_time":1569687246891499,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1569687246891499,"pkt":"LH6BsEqhNDY7z3UoCABFAAAzrdgAAP8Ra2cKAADjS0tMTPaDADUAH3AoGBgBAAABAAAAAAAABWxvY2FsAAAGAAE="}
@@ -172,7 +172,7 @@
 01027{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687261485620,"flow_src_last_pkt_time":1569687261485620,"flow_dst_last_pkt_time":1569687261501464,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":51,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":103,"flow_src_tot_l4_payload_len":51,"flow_dst_tot_l4_payload_len":103,"midstream":0,"thread_ts_usec":1569687261501464,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":59222,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lp-rkerur-osx.hsd1.ca.comcast.net","dns": {"num_queries":1,"num_answers":1,"reply_code":3,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":226,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1569687261486499,"flow_dst_last_pkt_time":1569687261506389,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":145,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":145,"pkt_l4_len":111,"thread_ts_usec":1569687261506389,"pkt":"NDY7z3UoLH6BsEqhCABFAACDAABAADoRnvFLS0tLCgAA4wA13rkAbznpXq+BgwABAAAAAQAADUxQLVJLRVJVUi1PU1gEaHNkMQJjYQdjb21jYXN0A25ldAAAHAABwBoABgABAAAcIAAoBmRuczEwMcAiCGRuc2FkbWluwCIBawJtAAAcIAAADhAACTqAAAAcIA=="}
 01028{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":226,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687261486499,"flow_src_last_pkt_time":1569687261486499,"flow_dst_last_pkt_time":1569687261506389,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":51,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":103,"flow_src_tot_l4_payload_len":51,"flow_dst_tot_l4_payload_len":103,"midstream":0,"thread_ts_usec":1569687261506389,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":57017,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lp-rkerur-osx.hsd1.ca.comcast.net","dns": {"num_queries":1,"num_answers":1,"reply_code":3,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-02200{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":229,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687260591875,"flow_src_last_pkt_time":1569687261807505,"flow_dst_last_pkt_time":1569687261836138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1195,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":2943,"flow_dst_tot_l4_payload_len":4489,"midstream":0,"thread_ts_usec":1569687261836138,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":272,"avg":79351.4,"max":384774,"stddev":121592.3,"var":14784686080.0,"ent":3.7,"data": [28537,28596,272,35158,11581,46466,4231,33144,2963,31899,1468,30539,1730,30777,254948,281121,5133,31326,314965,342213,26303,53543,25788,25778,4801,30501,2712,28408,358152,384774,2066,0]},"pktlen": {"min":66,"avg":299.0,"max":1434,"stddev":416.2,"var":173206.9,"ent":4.0,"data": [78,78,66,214,66,1374,66,1261,66,117,66,510,66,477,66,377,66,181,66,791,66,1434,66,1174,66,128,66,136,66,124,66,124]},"bins": {"c_to_s": [9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+02198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":229,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687260591875,"flow_src_last_pkt_time":1569687261807505,"flow_dst_last_pkt_time":1569687261836138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1195,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":2943,"flow_dst_tot_l4_payload_len":4489,"midstream":0,"thread_ts_usec":1569687261836138,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":272,"avg":79351.4,"max":384774,"stddev":121592.3,"var":14784686080.0,"ent":3.7,"data": [28537,28596,272,35158,11581,46466,4231,33144,2963,31899,1468,30539,1730,30777,254948,281121,5133,31326,314965,342213,26303,53543,25788,25778,4801,30501,2712,28408,358152,384774,2066]},"pktlen": {"min":66,"avg":299.0,"max":1434,"stddev":416.2,"var":173206.9,"ent":4.0,"data": [78,78,66,214,66,1374,66,1261,66,117,66,510,66,477,66,377,66,181,66,791,66,1434,66,1174,66,128,66,136,66,124,66,124]},"bins": {"c_to_s": [9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687262866211,"flow_src_last_pkt_time":1569687262866211,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687262866211,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"162.222.43.153","src_port":56881,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1569687262866211,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1569687262866211,"pkt":"LH6BsEqhNDY7z3UoCABFAABEAABAAEAGYVoKAADjot4rmd4xAbu3QBvT9S8yS4AYEAD8CwAAAQEIChwNvkTkAuRNDi2ISqeLxJuBXTMcrWivnw=="}
 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1569687262866958,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":292,"pkt_l4_len":258,"thread_ts_usec":1569687262866958,"pkt":"LH6BsEqhNDY7z3UoCABFAAEWAABAAEAGYIgKAADjot4rmd4xAbu3QBvj9S8yS4AYEACf4gAAAQEIChwNvkTkAuRNC2FzYPnyOhEIxzv9HgAAAQAAAAAABf0HAAAAAAAAAFYAAAAAABO4pgAAAfJ1AAAAGzdZOcQAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAAEjynVwAAAAAACz6PAAAAAABmQ+JAyo3EgU6LQwAAAAAAAAAAAAAACK7duMsBAQAAAAELYXNg+fI6EQjHO\/0eAAABAAAAAAAF\/QcAAAAAAAAAVgAAAAAAE7imAAAB8nUAAAAbN1k5xAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAAAASPKdXAAAAAAALPo8AAAAAAAAAAQ=="}
@@ -184,7 +184,7 @@
 01251{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":301,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267077459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687267079534,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01405{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":303,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267125585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687267125585,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}}}
 01791{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267166003,"flow_dst_last_pkt_time":1569687267203156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687267203156,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}}
-01548{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26551.9,"max":138032,"stddev":33142.4,"var":1098418688.0,"ent":3.6,"data": [42362,42438,1999,46916,1210,46124,40336,4,40344,1,37231,6,37243,1,97159,138032,40854,1159,43270,9027,4,1,1,9,1,1,51168,0,0,0,0,0]},"pktlen": {"min":66,"avg":531.3,"max":1514,"stddev":619.3,"var":383541.0,"ent":4.1,"data": [78,70,66,218,66,1514,66,1514,1514,66,66,1514,1181,66,66,420,141,66,1031,66,1514,223,1514,223,1514,223,1514,223,66,66,66,66]},"bins": {"c_to_s": [12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0]}}
+01538{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26551.9,"max":138032,"stddev":33142.4,"var":1098418688.0,"ent":3.6,"data": [42362,42438,1999,46916,1210,46124,40336,4,40344,1,37231,6,37243,1,97159,138032,40854,1159,43270,9027,4,1,1,9,1,1,51168]},"pktlen": {"min":66,"avg":531.3,"max":1514,"stddev":619.3,"var":383541.0,"ent":4.1,"data": [78,70,66,218,66,1514,66,1514,1514,66,66,1514,1181,66,66,420,141,66,1031,66,1514,223,1514,223,1514,223,1514,223,66,66,66,66]},"bins": {"c_to_s": [12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0]}}
 01795{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687267453127,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687267453127,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569687267453127,"pkt":"pHczjPFANDY7z3UoCABFAAA0AABAAEAGJU0KAADjCgAAld4hH0glPK3eiXsRe4AREAA75QAAAQEIChwN0AsAIb2q"}
@@ -278,7 +278,7 @@
 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_src_last_pkt_time":1569687268746220,"flow_dst_last_pkt_time":1569687268789706,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1569687268789706,"pkt":"NDY7z3UoLH6BsEqhCABFAABMkFUAAPcRuegIJWZbCgAA4wG701sAOF8pFgEAAAAAAAAAAAAAIwMAABcAAAAAAAAAFwEAFGKRvPEadu7FYjYhjKxM1MN8EkEd"}
 00664{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_src_last_pkt_time":1569687268790107,"flow_dst_last_pkt_time":1569687268789706,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":161,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":161,"pkt_l4_len":127,"thread_ts_usec":1569687268790107,"pkt":"LH6BsEqhNDY7z3UoCABFAACTQPwAAEARv\/sKAADjCCVmW9NbAbsAf9nwFgEAAAAAAAAAAAEAagEAAF4AAQAAAAAAXgEA7YnEaZ6hZImmhCHr0JUfCBctWVvywlB71JRnxl7mI4ogm7BxyKgEQGFPg0eizi7+AVQMevU74i4erAc5hyngJu8UYpG88Rp27sViNiGMrEzUw3wSQR0AAgA5AQA="}
 01000{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":465,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268790107,"flow_dst_last_pkt_time":1569687268836308,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":119,"flow_dst_max_l4_payload_len":188,"flow_src_tot_l4_payload_len":218,"flow_dst_tot_l4_payload_len":236,"midstream":0,"thread_ts_usec":1569687268836308,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01828{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268990048,"flow_dst_last_pkt_time":1569687268992240,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":93,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":157,"flow_dst_max_l4_payload_len":365,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3458,"midstream":0,"thread_ts_usec":1569687268992240,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15801.5,"max":47070,"stddev":18787.6,"var":352972736.0,"ent":3.9,"data": [43486,43887,46602,46963,13778,22397,136,45366,3,1,180,3,8893,184,3220,4,34551,3,41128,530,5716,3654,11825,10035,4233,4600,46982,47070,168,405,3845,0]},"pktlen": {"min":90,"avg":213.1,"max":407,"stddev":70.7,"var":5001.8,"ent":4.9,"data": [141,90,161,230,135,167,167,167,263,215,215,215,199,151,167,359,311,183,231,167,167,311,167,279,199,407,199,279,167,183,183,343]},"bins": {"c_to_s": [0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01826{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268990048,"flow_dst_last_pkt_time":1569687268992240,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":93,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":157,"flow_dst_max_l4_payload_len":365,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3458,"midstream":0,"thread_ts_usec":1569687268992240,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15801.5,"max":47070,"stddev":18787.6,"var":352972736.0,"ent":3.9,"data": [43486,43887,46602,46963,13778,22397,136,45366,3,1,180,3,8893,184,3220,4,34551,3,41128,530,5716,3654,11825,10035,4233,4600,46982,47070,168,405,3845]},"pktlen": {"min":90,"avg":213.1,"max":407,"stddev":70.7,"var":5001.8,"ent":4.9,"data": [141,90,161,230,135,167,167,167,263,215,215,215,199,151,167,359,311,183,231,167,167,311,167,279,199,407,199,279,167,183,183,343]},"bins": {"c_to_s": [0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":519,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687269094582,"flow_src_last_pkt_time":1569687269094582,"flow_dst_last_pkt_time":1569687269094582,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687269094582,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.1","src_port":52595,"dst_port":192,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":519,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1569687269094582,"flow_dst_last_pkt_time":1569687269094582,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":46,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":46,"pkt_l4_len":12,"thread_ts_usec":1569687269094582,"pkt":"LH6BsEqhNDY7z3UoCABFAAAg7WwAAEAReH0KAADjCgAAAc1zAMAADBGuCAEDEA=="}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":578,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687269223066,"flow_src_last_pkt_time":1569687269223066,"flow_dst_last_pkt_time":1569687269223066,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":311,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687269223066,"l3_proto":"ip4","src_ip":"10.0.0.151","dst_ip":"10.0.0.227","src_port":1900,"dst_port":57547,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -414,10 +414,10 @@
 ~~ total active/idle flows...: 69/69
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6328079 bytes
-~~ total memory freed........: 6328079 bytes
+~~ total memory allocated....: 6327803 bytes
+~~ total memory freed........: 6327803 bytes
 ~~ total allocations/frees...: 125241/125241
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
-~~ json string max len.......: 2205 chars
-~~ json string avg len.......: 1352 chars
+~~ json string max len.......: 2203 chars
+~~ json string avg len.......: 1351 chars
diff --git a/test/results/anydesk.pcapng.out b/test/results/anydesk.pcapng.out
index 00b63a4ea..a18c60109 100644
--- a/test/results/anydesk.pcapng.out
+++ b/test/results/anydesk.pcapng.out
@@ -12,7 +12,7 @@
 01506{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199366001,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1591342199366725,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01568{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199532111,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1591342199532111,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}}}
 01771{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199532151,"flow_dst_last_pkt_time":1591342199532596,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":2600,"midstream":0,"thread_ts_usec":1591342199532596,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}}
-01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":176540.0,"max":1602919,"stddev":394272.9,"var":155451113472.0,"ent":2.8,"data": [164805,164917,612,1082,165028,165426,485,455,339,338,1756,2021,164886,165169,210,191,219,307,218569,218677,606,928,1215453,1216321,7,87,855,7,2,1602919,62,0]},"pktlen": {"min":54,"avg":406.7,"max":1514,"stddev":555.2,"var":308238.0,"ent":3.9,"data": [74,60,54,317,60,1354,54,1354,54,60,54,1148,60,105,54,94,54,200,60,200,54,125,60,133,1514,1514,1256,60,60,60,1514,1194]},"bins": {"c_to_s": [8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1]}}
+01572{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":176540.0,"max":1602919,"stddev":394272.9,"var":155451113472.0,"ent":2.8,"data": [164805,164917,612,1082,165028,165426,485,455,339,338,1756,2021,164886,165169,210,191,219,307,218569,218677,606,928,1215453,1216321,7,87,855,7,2,1602919,62]},"pktlen": {"min":54,"avg":406.7,"max":1514,"stddev":555.2,"var":308238.0,"ent":3.9,"data": [74,60,54,317,60,1354,54,1354,54,60,54,1148,60,105,54,94,54,200,60,200,54,125,60,133,1514,1514,1256,60,60,60,1514,1194]},"bins": {"c_to_s": [8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1]}}
 01775{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":40,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}}
 00568{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":6964,"source":"anydesk.pcapng","alias":"nDPId-test","packets-captured":6964,"packets-processed":6963,"total-skipped-flows":0,"total-l4-payload-len":2418022,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1613977585247036}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6964,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1613977585247036,"flow_src_last_pkt_time":1613977585247036,"flow_dst_last_pkt_time":1613977585247036,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977585247036,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":59511,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -39,7 +39,7 @@
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6979,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1613977595407676,"flow_dst_last_pkt_time":1613977595407489,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1613977595407676,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGthLAqAGywKgBu8tHG54tLA3dVf0iy1AQIABwXwAAAAAAAAAA"}
 01369{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6980,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595407489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977595408312,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01790{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6987,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595549041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":813,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":813,"midstream":0,"thread_ts_usec":1613977595549041,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"4b505adfb4a921c5a3a39d293b0811e1","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E"}}}
-02218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7014,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":328,"avg":471052.1,"max":3021750,"stddev":868685.8,"var":754614927360.0,"ent":2.9,"data": [491,529,333,431,328,10474,10878,39566,40320,8749,9516,516873,517463,1553,27804,26175,2358,56316,902900,957284,1754245,1753698,16355,71246,2966766,3021750,4006,0,0,0,0,0]},"pktlen": {"min":54,"avg":320.3,"max":3980,"stddev":747.4,"var":558552.1,"ent":3.2,"data": [66,66,54,299,60,60,1514,197,54,1340,60,968,94,54,101,60,89,88,60,88,54,3980,60,60,60,93,60,155,54,113,60,130]},"bins": {"c_to_s": [6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1],"s_to_c": [11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+02208{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7014,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":328,"avg":471052.1,"max":3021750,"stddev":868685.8,"var":754614927360.0,"ent":2.9,"data": [491,529,333,431,328,10474,10878,39566,40320,8749,9516,516873,517463,1553,27804,26175,2358,56316,902900,957284,1754245,1753698,16355,71246,2966766,3021750,4006]},"pktlen": {"min":54,"avg":320.3,"max":3980,"stddev":747.4,"var":558552.1,"ent":3.2,"data": [66,66,54,299,60,60,1514,197,54,1340,60,968,94,54,101,60,89,88,60,88,54,3980,60,60,60,93,60,155,54,113,60,130]},"bins": {"c_to_s": [6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1],"s_to_c": [11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00568{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":9485,"source":"anydesk.pcapng","alias":"nDPId-test","packets-captured":9485,"packets-processed":9484,"total-skipped-flows":0,"total-l4-payload-len":4424268,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":7,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":43,"global_ts_usec":1663090549161771}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9485,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549161771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1663090549161771,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9485,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549161771,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1663090549161771,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8b6ZAAEAGlofAqAGAw7WusLyEAbsbAqeoAAAAAKAC+vBE2wAAAgQFtAQCCAo49hnFAAAAAAEDAwc="}
@@ -48,7 +48,7 @@
 01163{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9488,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549180495,"flow_dst_last_pkt_time":1663090549179486,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":289,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1663090549180495,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"29b5a018fa5992fe23560c16af0dc9fc","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"anydesk\/6.2.0\/linux"}}}
 01225{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9490,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549180495,"flow_dst_last_pkt_time":1663090549200737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":289,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1663090549200737,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"29b5a018fa5992fe23560c16af0dc9fc","ja3s":"e58f0b3c1e9eefb8ee4f92aeceee5858","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","alpn":"anydesk\/6.2.0\/linux"}}}
 01567{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9492,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549200799,"flow_dst_last_pkt_time":1663090549200825,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":289,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":2528,"midstream":0,"thread_ts_usec":1663090549200825,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"29b5a018fa5992fe23560c16af0dc9fc","ja3s":"e58f0b3c1e9eefb8ee4f92aeceee5858","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","alpn":"anydesk\/6.2.0\/linux","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}}
-01985{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9516,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090558034917,"flow_dst_last_pkt_time":1663090558365585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5817,"flow_dst_tot_l4_payload_len":3029,"midstream":0,"thread_ts_usec":1663090558365585,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":583127.8,"max":8444631,"stddev":2063627.1,"var":4258557067264.0,"ent":1.5,"data": [17715,17815,909,17821,3430,20304,88,41,3772,21850,18137,104,44,888,64188,13442,76786,1527,18418,206643,224790,16,4,18683,18,62779,11,80221,8427892,8444631,313993,0]},"pktlen": {"min":66,"avg":342.9,"max":1514,"stddev":495.5,"var":245485.5,"ent":3.9,"data": [74,74,66,355,66,1514,66,1146,66,1160,117,66,106,66,213,66,212,66,151,66,159,1514,1514,1287,66,66,106,104,66,151,66,159]},"bins": {"c_to_s": [8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0],"s_to_c": [7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01983{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9516,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090558034917,"flow_dst_last_pkt_time":1663090558365585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5817,"flow_dst_tot_l4_payload_len":3029,"midstream":0,"thread_ts_usec":1663090558365585,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":583127.8,"max":8444631,"stddev":2063627.1,"var":4258557067264.0,"ent":1.5,"data": [17715,17815,909,17821,3430,20304,88,41,3772,21850,18137,104,44,888,64188,13442,76786,1527,18418,206643,224790,16,4,18683,18,62779,11,80221,8427892,8444631,313993]},"pktlen": {"min":66,"avg":342.9,"max":1514,"stddev":495.5,"var":245485.5,"ent":3.9,"data": [74,74,66,355,66,1514,66,1146,66,1160,117,66,106,66,213,66,212,66,151,66,159,1514,1514,1287,66,66,106,104,66,151,66,159]},"bins": {"c_to_s": [8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0],"s_to_c": [7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00770{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":9521,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595964011,"flow_dst_last_pkt_time":1613977595963376,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1286,"flow_dst_max_l4_payload_len":914,"flow_src_tot_l4_payload_len":1549,"flow_dst_tot_l4_payload_len":1767,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01417{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9521,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":947,"flow_dst_packets_processed":1555,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977618224574,"flow_dst_last_pkt_time":1613977618224857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5506,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1977868,"flow_dst_tot_l4_payload_len":24838,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00919{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9521,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1613977585542630,"flow_src_last_pkt_time":1613977585542630,"flow_dst_last_pkt_time":1613977585553797,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":55376,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AnyDesk","proto_id":"5.252","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
@@ -63,10 +63,10 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6376729 bytes
-~~ total memory freed........: 6376729 bytes
+~~ total memory allocated....: 6376701 bytes
+~~ total memory freed........: 6376701 bytes
 ~~ total allocations/frees...: 131123/131123
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 2223 chars
-~~ json string avg len.......: 1357 chars
+~~ json string max len.......: 2213 chars
+~~ json string avg len.......: 1352 chars
diff --git a/test/results/avast.pcap.out b/test/results/avast.pcap.out
index 40979b903..052307414 100644
--- a/test/results/avast.pcap.out
+++ b/test/results/avast.pcap.out
@@ -87,8 +87,8 @@
 ~~ total active/idle flows...: 10/10
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6074895 bytes
-~~ total memory freed........: 6074895 bytes
+~~ total memory allocated....: 6074855 bytes
+~~ total memory freed........: 6074855 bytes
 ~~ total allocations/frees...: 121729/121729
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/avast_securedns.pcapng.out b/test/results/avast_securedns.pcapng.out
index 368bc4689..bd4f43643 100644
--- a/test/results/avast_securedns.pcapng.out
+++ b/test/results/avast_securedns.pcapng.out
@@ -224,8 +224,8 @@
 ~~ total active/idle flows...: 39/39
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6099742 bytes
-~~ total memory freed........: 6099742 bytes
+~~ total memory allocated....: 6099586 bytes
+~~ total memory freed........: 6099586 bytes
 ~~ total allocations/frees...: 121944/121944
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 502 chars
diff --git a/test/results/bad-dns-traffic.pcap.out b/test/results/bad-dns-traffic.pcap.out
index a62fec1ad..382171ea5 100644
--- a/test/results/bad-dns-traffic.pcap.out
+++ b/test/results/bad-dns-traffic.pcap.out
@@ -17,7 +17,7 @@
 01193{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012638093433,"flow_dst_last_pkt_time":1486012635073060,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":364,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012638093433,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"46b100fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":5,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012639101974,"flow_dst_last_pkt_time":1486012635073060,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":455,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012639101974,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":16,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 01308{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012639101974,"flow_dst_last_pkt_time":1486012639174914,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":122,"flow_src_tot_l4_payload_len":455,"flow_dst_tot_l4_payload_len":122,"midstream":0,"thread_ts_usec":1486012639174914,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":16,"rsp_type":16,"rsp_addr":"0.0.0.0"}}}
-02036{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012651592518,"flow_dst_last_pkt_time":1486012651846910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1392,"flow_dst_tot_l4_payload_len":1397,"midstream":0,"thread_ts_usec":1486012651846910,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":63089,"avg":1073977.6,"max":4101854,"stddev":689094.3,"var":474850951168.0,"ent":4.7,"data": [1006460,1005839,1008074,1008541,4101854,73173,63089,1023925,1006666,2080907,1018755,962463,1014062,1012614,1013561,1040293,1038247,1060225,1011738,991100,1041523,1066575,1017786,982256,1029549,1026193,1027755,1007446,2080430,166358,305851,0]},"pktlen": {"min":95,"avg":129.2,"max":323,"stddev":50.6,"var":2560.6,"ent":4.9,"data": [133,133,133,133,133,164,95,130,95,95,126,95,128,95,130,95,128,95,128,95,126,95,128,95,130,95,128,95,95,174,290,323]},"bins": {"c_to_s": [0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+02034{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012651592518,"flow_dst_last_pkt_time":1486012651846910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1392,"flow_dst_tot_l4_payload_len":1397,"midstream":0,"thread_ts_usec":1486012651846910,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":63089,"avg":1073977.6,"max":4101854,"stddev":689094.3,"var":474850951168.0,"ent":4.7,"data": [1006460,1005839,1008074,1008541,4101854,73173,63089,1023925,1006666,2080907,1018755,962463,1014062,1012614,1013561,1040293,1038247,1060225,1011738,991100,1041523,1066575,1017786,982256,1029549,1026193,1027755,1007446,2080430,166358,305851]},"pktlen": {"min":95,"avg":129.2,"max":323,"stddev":50.6,"var":2560.6,"ent":4.9,"data": [133,133,133,133,133,164,95,130,95,95,126,95,128,95,130,95,128,95,128,95,126,95,128,95,130,95,128,95,95,174,290,323]},"bins": {"c_to_s": [0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01150{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":172,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":9,"flow_first_seen":1486012623234684,"flow_src_last_pkt_time":1486012630535623,"flow_dst_last_pkt_time":1486012630741119,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":187,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":915,"midstream":0,"thread_ts_usec":1486012676167582,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":35966,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01156{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":229,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":120,"flow_dst_packets_processed":89,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012686228125,"flow_dst_last_pkt_time":1486012686227663,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":283,"flow_src_tot_l4_payload_len":26440,"flow_dst_tot_l4_payload_len":22745,"midstream":0,"thread_ts_usec":1486012686228125,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01150{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":367,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":9,"flow_first_seen":1486012623234684,"flow_src_last_pkt_time":1486012630535623,"flow_dst_last_pkt_time":1486012630741119,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":187,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":915,"midstream":0,"thread_ts_usec":1486012726429073,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":35966,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -39,10 +39,10 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6050303 bytes
-~~ total memory freed........: 6050303 bytes
+~~ total memory allocated....: 6050291 bytes
+~~ total memory freed........: 6050291 bytes
 ~~ total allocations/frees...: 121895/121895
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
-~~ json string max len.......: 2041 chars
-~~ json string avg len.......: 1269 chars
+~~ json string max len.......: 2039 chars
+~~ json string avg len.......: 1268 chars
diff --git a/test/results/bitcoin.pcap.out b/test/results/bitcoin.pcap.out
index 48a0a6410..9645541c3 100644
--- a/test/results/bitcoin.pcap.out
+++ b/test/results/bitcoin.pcap.out
@@ -10,26 +10,26 @@
 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328089970465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328089970465,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00671{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328090023170,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328090023170,"pkt":"ACNshovhACPrIpS0CABFAACdT81AAHYGdmdFdjZ6wKgBjiCN2CBFUvMhECrU24AYAQRFgAAAAQEICgA8+QknMuFU+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAADZsJBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHtggAQAAAAAAAAAAAAAAAAAAAAAA\/\/9FdjZ6II3xDaOK7c9BwgAGwwEA"}
 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328090082335,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328090082335,"pkt":"ACNshovhACPrIpS0CABFAABIT85AAHYGdrtFdjZ6wKgBjiCN2CBFUvOKECrU24AYAQQkRgAAAQEICgA8+RAnMuFV+b602XZlcmFjawAAAAAAAAAAAAA="}
-01879{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328231627793,"flow_dst_last_pkt_time":1301328234475638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":36033,"midstream":1,"thread_ts_usec":1301328234475638,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9231048.0,"max":141657328,"stddev":28184708.0,"var":794377756606464.0,"ent":1.9,"data": [52705,59165,36072737,6972560,71059721,141657328,28238337,91,32968,6,2,1933055,1,2,1,2,4527,16790,273,4103,461,12118,1136,339,10616,15667,2671,6,3102,4098,7913,0]},"pktlen": {"min":86,"avg":1196.7,"max":1514,"stddev":570.2,"var":325114.2,"ent":4.8,"data": [171,171,86,127,121,127,110,1514,1514,1514,1514,1045,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01877{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328231627793,"flow_dst_last_pkt_time":1301328234475638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":36033,"midstream":1,"thread_ts_usec":1301328234475638,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9231048.0,"max":141657328,"stddev":28184708.0,"var":794377756606464.0,"ent":1.9,"data": [52705,59165,36072737,6972560,71059721,141657328,28238337,91,32968,6,2,1933055,1,2,1,2,4527,16790,273,4103,461,12118,1136,339,10616,15667,2671,6,3102,4098,7913]},"pktlen": {"min":86,"avg":1196.7,"max":1514,"stddev":570.2,"var":325114.2,"ent":4.8,"data": [171,171,86,127,121,127,110,1514,1514,1514,1514,1045,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328319392147,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00676{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328319392147,"pkt":"ACPrIpS0ACNshovhCABFAACdlslAAEAG4RzAqAGOSlm15dg0II2cIEOJr5xIoIAY\/\/\/04QAAAQEICicy6kgDS\/0c+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAAC\/sZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/Slm15SCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII2qu+Pk33arXQC9vgEA"}
 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328319392147,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319451340,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328319451340,"pkt":"ACNshovhACPrIpS0CABFAACdR2RAAHYG+oFKWbXlwKgBjiCN2DSvnEignCBD8oAYAQSuQgAAAQEICgNL\/SInMupI+b602XZlcnNpb24AAAAAAFUAAAAAfQAAAQAAAAAAAAC4sZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHtg0AQAAAAAAAAAAAAAAAAAAAAAA\/\/9KWbXlII1O39\/bLGJPkgAHwwEA"}
 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319554549,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328319554549,"pkt":"ACNshovhACPrIpS0CABFAABIR4lAAHYG+rFKWbXlwKgBjiCN2DSvnEkJnCBD8oAYAQTU7AAAAQEICgNL\/S8nMupI+b602XZlcmFjawAAAAAAAAAAAAA="}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328419814379,"flow_dst_last_pkt_time":1301328420325069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":204,"flow_dst_tot_l4_payload_len":35103,"midstream":1,"thread_ts_usec":1301328420325069,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":6495327.5,"max":100110670,"stddev":19444800.0,"var":378100231700480.0,"ent":2.0,"data": [59193,103209,9823152,39766075,21773202,100110670,311562,29237037,27,63547,5,128,1815,36336,73,10069,11,2188,6,22497,6,36,5434,1881,16669,98,3307,3200,88,2587,1046,0]},"pktlen": {"min":86,"avg":1169.3,"max":1514,"stddev":597.2,"var":356626.8,"ent":4.7,"data": [171,171,86,182,121,121,110,121,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328419814379,"flow_dst_last_pkt_time":1301328420325069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":204,"flow_dst_tot_l4_payload_len":35103,"midstream":1,"thread_ts_usec":1301328420325069,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":6495327.5,"max":100110670,"stddev":19444800.0,"var":378100231700480.0,"ent":2.0,"data": [59193,103209,9823152,39766075,21773202,100110670,311562,29237037,27,63547,5,128,1815,36336,73,10069,11,2188,6,22497,6,36,5434,1881,16669,98,3307,3200,88,2587,1046]},"pktlen": {"min":86,"avg":1169.3,"max":1514,"stddev":597.2,"var":356626.8,"ent":4.7,"data": [171,171,86,182,121,121,110,121,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328472925065,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328472925065,"pkt":"ACPrIpS0ACNshovhCABFAACde+1AAEAGZt3AqAGOQkRTFthXII0tj7Vf9ZidkYAY\/\/+IsAAAAQEICicy8EYAAAAA+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAABYspBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/QkRTFiCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII21Dgd4gTLgpgDgvgEA"}
 00982{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328472925065,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472987383,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328472987383,"pkt":"ACNshovhACPrIpS0CABFAACdMqtAAG8GgR9CRFMWwKgBjiCN2Ff1mJ2RLY+1yIAY\/5aM3QAAAQEICgBK7W0nMvBG+b602XZlcnNpb24AAAAAAFUAAACcfAAAAQAAAAAAAABZspBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHthXAQAAAAAAAAAAAAAAAAAAAAAA\/\/9CRFMWII0z3Rs+AfeDdwAHwwEA"}
 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":203,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328473077893,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328473077893,"pkt":"ACNshovhACPrIpS0CABFAABIMqxAAG8GgXNCRFMWwKgBjiCN2Ff1mJ36LY+1yIAY\/5avrAAAAQEICgBK7W4nMvBG+b602XZlcmFjawAAAAAAAAAAAAA="}
 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":215,"source":"bitcoin.pcap","alias":"nDPId-test","packets-captured":215,"packets-processed":214,"total-skipped-flows":0,"total-l4-payload-len":260266,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":25,"global_ts_usec":1301328538215424}
-01909{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":284,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328607711436,"flow_dst_last_pkt_time":1301328616076718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9102,"flow_dst_tot_l4_payload_len":23653,"midstream":1,"thread_ts_usec":1301328616076718,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":8965742.0,"max":134322478,"stddev":25481870.0,"var":649325705166848.0,"ent":2.2,"data": [62318,90510,14042384,39643167,11451980,9238604,22700384,134322478,190526,216456,52,56784,49,15,11,45582876,5468,2949,79677,2390,56420,14875,38291,1106,29429,10233,41403,43,29590,11803,15753,0]},"pktlen": {"min":86,"avg":1089.6,"max":1514,"stddev":630.5,"var":397582.1,"ent":4.7,"data": [171,171,86,127,127,127,182,127,110,1514,1514,1514,1514,1514,1514,331,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0],"s_to_c": [1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01907{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":284,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328607711436,"flow_dst_last_pkt_time":1301328616076718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9102,"flow_dst_tot_l4_payload_len":23653,"midstream":1,"thread_ts_usec":1301328616076718,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":8965742.0,"max":134322478,"stddev":25481870.0,"var":649325705166848.0,"ent":2.2,"data": [62318,90510,14042384,39643167,11451980,9238604,22700384,134322478,190526,216456,52,56784,49,15,11,45582876,5468,2949,79677,2390,56420,14875,38291,1106,29429,10233,41403,43,29590,11803,15753]},"pktlen": {"min":86,"avg":1089.6,"max":1514,"stddev":630.5,"var":397582.1,"ent":4.7,"data": [171,171,86,127,127,127,182,127,110,1514,1514,1514,1514,1514,1514,331,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0],"s_to_c": [1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328699728375,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328699728375,"pkt":"ACPrIpS0ACNshovhCABFAACdK9RAAEAGd8TAqAGOw9oQsthoII1BDXcu4yOzE4AY\/\/9L7wAAAQEICicy+R8AACIN+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAAA7s5BNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/w9oQsiCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII38Ree1v7hQ3gC4wAEA"}
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328699728375,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699856583,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328699856583,"pkt":"ACNshovhACPrIpS0CABFAACdBc9AAHUGaMnD2hCywKgBjiCN2GjjI7MTQQ13l4AYAQQ8gQAAAQEICgAAIhwnMvkf+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAAA4s5BNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHthoAQAAAAAAAAAAAAAAAAAAAAAA\/\/\/D2hCyII0FGo5IhpYwXgAKwwEA"}
 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699969841,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328699969841,"pkt":"ACNshovhACPrIpS0CABFAABIBdlAAHUGaRTD2hCywKgBjiCN2GjjI7N8QQ13l4AYAQRZWQAAAQEICgAAIignMvkg+b602XZlcmFjawAAAAAAAAAAAAA="}
-01921{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":390,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328741904043,"flow_dst_last_pkt_time":1301328743741542,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5826,"flow_dst_tot_l4_payload_len":27918,"midstream":1,"thread_ts_usec":1301328743741542,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":2780285.0,"max":41186439,"stddev":7975567.0,"var":63609669419008.0,"ent":2.2,"data": [128208,113258,17195103,11450771,3438749,6775,2755264,41186439,319900,321845,34,347450,8283500,31885,35035,52689,19022,36630,49289,41130,63903,2317,29070,27748,37436,32734,49198,24571,33724,41084,34074,0]},"pktlen": {"min":86,"avg":1120.5,"max":1514,"stddev":621.5,"var":386298.0,"ent":4.7,"data": [171,171,86,121,121,121,121,127,110,1514,1514,1514,1399,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0],"s_to_c": [1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01919{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":390,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328741904043,"flow_dst_last_pkt_time":1301328743741542,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5826,"flow_dst_tot_l4_payload_len":27918,"midstream":1,"thread_ts_usec":1301328743741542,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":2780285.0,"max":41186439,"stddev":7975567.0,"var":63609669419008.0,"ent":2.2,"data": [128208,113258,17195103,11450771,3438749,6775,2755264,41186439,319900,321845,34,347450,8283500,31885,35035,52689,19022,36630,49289,41130,63903,2317,29070,27748,37436,32734,49198,24571,33724,41084,34074]},"pktlen": {"min":86,"avg":1120.5,"max":1514,"stddev":621.5,"var":386298.0,"ent":4.7,"data": [171,171,86,121,121,121,121,127,110,1514,1514,1514,1399,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0],"s_to_c": [1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":495,"source":"bitcoin.pcap","alias":"nDPId-test","packets-captured":495,"packets-processed":494,"total-skipped-flows":0,"total-l4-payload-len":520135,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":0,"total-updates":0,"current-active-flows":5,"total-active-flows":5,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":33,"global_ts_usec":1301329138452825}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301329304767401,"flow_src_last_pkt_time":1301329304767401,"flow_dst_last_pkt_time":1301329304767401,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301329304767401,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"184.58.165.119","src_port":55487,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1301329304767401,"flow_dst_last_pkt_time":1301329304767401,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301329304767401,"pkt":"ACPrIpS0ACNshovhCABFAACdDAhAAEAGDmvAqAGOuDqld9i\/II0stRatNDMFDIAY\/\/9S8AAAAQEICiczELoAVdzf+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAACYtZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/uDqldyCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII0b7ZMAlkQ1dwALwwEA"}
@@ -52,10 +52,10 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6070490 bytes
-~~ total memory freed........: 6070490 bytes
+~~ total memory allocated....: 6070466 bytes
+~~ total memory freed........: 6070466 bytes
 ~~ total allocations/frees...: 122176/122176
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1926 chars
-~~ json string avg len.......: 1208 chars
+~~ json string max len.......: 1924 chars
+~~ json string avg len.......: 1207 chars
diff --git a/test/results/bittorrent.pcap.out b/test/results/bittorrent.pcap.out
index 5dc3df10d..6e7605898 100644
--- a/test/results/bittorrent.pcap.out
+++ b/test/results/bittorrent.pcap.out
@@ -94,7 +94,7 @@
 00691{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1455469978413724,"flow_dst_last_pkt_time":1455469978662941,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":185,"pkt_l4_len":151,"thread_ts_usec":1455469978662941,"pkt":"xCwDBkn+LFbcjDU0CABFAACrdTRAAHcGzXJf6p8QwKgBA6D1zrlkqPSW1A6dPYAYAMM1JwAAAQEICgIQtLMZ3BteE0JpdFRvcnJlbnQgcHJvdG9jb2wAAAAAABAABdz83M+55nDMw91Ax4wWHyvqJDEmLVVUMzQ1MC3wos5cW3r846cWQCoAAADoFABkMTplaTBlNDppcHY0NDpf6p8QMTI6Y29tcGxldGVfYWdvaTQ1ZTE6bWQxMTo="}
 01355{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1455469978413724,"flow_dst_last_pkt_time":1455469978678722,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":587,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":587,"pkt_l4_len":553,"thread_ts_usec":1455469978678722,"pkt":"xCwDBkn+LFbcjDU0CABFAAI9dTZAAHcGy95f6p8QwKgBA6D1zrlkqPUN1A6dPYAZAMPqbAAAAQEICgIQtLMZ3BtedXBsb2FkX29ubHlpM2UxMTpsdF9kb250aGF2ZWk3ZTEyOnV0X2hvbGVwdW5jaGk0ZTExOnV0X21ldGFkYXRhaTJlNjp1dF9wZXhpMWUxMDp1dF9jb21tZW50aTZlZTEzOm1ldGFkYXRhX3NpemVpMTkwMDllMTpwaTQxMjA1ZTQ6cmVxcWkyNTVlMTp2MTU6zrxUb3JyZW50IDMuNC41Mjp5cGk1MjkyMWU2OnlvdXJpcDQ6UjfNAWUAAAB0Bf\/\/\/\/\/7\/\/\/\/\/\/\/\/\/f\/\/\/\/9\/\/\/\/3\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/3\/\/\/\/\/\/\/\/\/\/v7\/\/v\/\/\/\/\/7\/\/3\/f\/\/\/\/\/r\/\/\/v\/\/\/\/9\/\/\/\/\/\/\/\/\/+\/\/\/\/\/3\/7\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/9\/\/\/\/\/9\/\/f\/4AAAAAFBAAAACUAAAAFBAAAAJwAAAAFBAAAArkAAAAFBAAAAfAAAAAFBAAAA3QAAAAFBAAAAosAAAAFBAAAAZ8AAAAFBAAAAdUAAAAFBAAAAqwAAAAFBAAAAhUAAAAFBAAAAM0AAAAFBAAAAk4AAAAFBAAAAIAAAAAFBAAAA4IAAAAFBAAAAF4AAAAFBAAAAi0AAAAFBAAAAVYAAAAFBAAAAZcAAAAFBAAAA1AAAAAFBAAAAeYAAAAFBAAAAa8AAAAFBAAAAhcAAAAFBAAAAw0AAAAFBAAAARs="}
 01357{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":85,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1455469978422152,"flow_dst_last_pkt_time":1455469978679019,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":586,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":586,"pkt_l4_len":552,"thread_ts_usec":1455469978679019,"pkt":"xCwDBkn+LFbcjDU0CABFAAI8IwBAAHYG\/QBf7cEiwKgBAyw5zrr6gfxfv4GyU4AZAQJxbQAAAQEICgADmIEZ3BtmcGxvYWRfb25seWkzZTExOmx0X2RvbnRoYXZlaTdlMTI6dXRfaG9sZXB1bmNoaTRlMTE6dXRfbWV0YWRhdGFpMmU2OnV0X3BleGkxZTEwOnV0X2NvbW1lbnRpNmVlMTM6bWV0YWRhdGFfc2l6ZWkxOTAwOWUxOnBpMTEzMjFlNDpyZXFxaTI1NWUxOnYxNTrOvFRvcnJlbnQgMy40LjUyOnlwaTUyOTIyZTY6eW91cmlwNDpSN80BZQAAAHQF\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/+\/\/\/+\/\/7\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/\/\/\/\/v\/\/\/v\/\/v\/\/+P\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/+\/7\/7\/\/\/\/\/\/7\/\/\/\/\/\/v\/\/3+\/\/+\/\/\/\/\/\/\/\/\/\/\/\/\/9\/\/\/7\/\/\/+\/\/\/\/\/\/\/\/\/\/\/\/\/\/+\/\/\/\/\/\/\/\/\/\/3\/\/gAAAAAUEAAACNQAAAAUEAAACYwAAAAUEAAADgAAAAAUEAAAB1wAAAAUEAAAAyQAAAAUEAAABzQAAAAUEAAACUQAAAAUEAAABYQAAAAUEAAACzQAAAAUEAAAApQAAAAUEAAACtgAAAAUEAAACSAAAAAUEAAACDQAAAAUEAAABIQAAAAUEAAABYwAAAAUEAAAC5wAAAAUEAAAAlQAAAAUEAAABYgAAAAUEAAABlQAAAAUEAAADQQAAAAUEAAAB4wAAAAUEAAABOQAAAAUEAAABSwAAAAUEAAAAfQ=="}
-01934{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1455469976336620,"flow_src_last_pkt_time":1455469980135637,"flow_dst_last_pkt_time":1455469980194523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":17,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":176,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":904,"flow_dst_tot_l4_payload_len":20536,"midstream":1,"thread_ts_usec":1455469980194523,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"198.100.146.9","src_port":52915,"dst_port":60163,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12043,"avg":246997.4,"max":919975,"stddev":228791.8,"var":52345696256.0,"ent":4.4,"data": [176832,184047,360999,337345,477634,919975,779765,619481,619422,156869,158080,151021,161242,12043,185627,163549,148908,165750,153542,19235,148725,12813,146117,495893,130312,32142,133808,27318,421482,129521,27423,0]},"pktlen": {"min":80,"avg":736.4,"max":1506,"stddev":635.2,"var":403438.9,"ent":4.4,"data": [134,146,625,242,80,190,104,100,1506,83,1180,83,623,95,83,403,83,202,623,1506,1506,1506,1506,1506,202,1506,1506,1506,1506,211,1506,1506]},"bins": {"c_to_s": [5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01932{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1455469976336620,"flow_src_last_pkt_time":1455469980135637,"flow_dst_last_pkt_time":1455469980194523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":17,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":176,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":904,"flow_dst_tot_l4_payload_len":20536,"midstream":1,"thread_ts_usec":1455469980194523,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"198.100.146.9","src_port":52915,"dst_port":60163,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12043,"avg":246997.4,"max":919975,"stddev":228791.8,"var":52345696256.0,"ent":4.4,"data": [176832,184047,360999,337345,477634,919975,779765,619481,619422,156869,158080,151021,161242,12043,185627,163549,148908,165750,153542,19235,148725,12813,146117,495893,130312,32142,133808,27318,421482,129521,27423]},"pktlen": {"min":80,"avg":736.4,"max":1506,"stddev":635.2,"var":403438.9,"ent":4.4,"data": [134,146,625,242,80,190,104,100,1506,83,1180,83,623,95,83,403,83,202,623,1506,1506,1506,1506,1506,202,1506,1506,1506,1506,211,1506,1506]},"bins": {"c_to_s": [5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455469980213097,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1455469980213097,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"83.216.184.241","src_port":52927,"dst_port":51413,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00625{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":1455469980213097,"pkt":"LFbcjDU0xCwDBkn+CABFAAB4U25AAEAGAADAqAEDU9i48c6\/yNUzq1kTBM6UFIAYL5vO3wAAAQEIChncIiN4G2eaE0JpdFRvcnJlbnQgcHJvdG9jb2wAAAAAABAABdz83M+55nDMw91Ax4wWHyvqJDEmLVVNMTg2MC1Bjq+Lj4Q+qUQM4PY="}
 00941{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455469980213097,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1455469980213097,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"83.216.184.241","src_port":52927,"dst_port":51413,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":"dcfcdccfb9e670ccc3dd40c78c161f2bea243126"}}}
@@ -141,10 +141,10 @@
 ~~ total active/idle flows...: 24/24
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6389000 bytes
-~~ total memory freed........: 6389000 bytes
+~~ total memory allocated....: 6388904 bytes
+~~ total memory freed........: 6388904 bytes
 ~~ total allocations/frees...: 122040/122040
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
-~~ json string max len.......: 1939 chars
-~~ json string avg len.......: 1216 chars
+~~ json string max len.......: 1937 chars
+~~ json string avg len.......: 1215 chars
diff --git a/test/results/bittorrent_utp.pcap.out b/test/results/bittorrent_utp.pcap.out
index c10c2db93..e75e520d5 100644
--- a/test/results/bittorrent_utp.pcap.out
+++ b/test/results/bittorrent_utp.pcap.out
@@ -5,7 +5,7 @@
 01035{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385034843882,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":104,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":104,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1456385034843882,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":""}}}
 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1456385039236076,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1456385039236076,"pkt":"xCwDBkn+LFbcjDU0CABFCACEPR1AAHARR3hS83ErwKgBBf3Jn\/8AcOi+ZDE6YWQyOmlkMjA69\/YAfOoTUG5RTefsvJTyrlFxFfg5OmluZm9faGFzaDIwOvf2AbAuK1Rd0f1URppB\/xHRD5bKZTE6cTk6Z2V0X3BlZXJzMTp0MjoZ4TE6djQ6TFQBATE6eTE6cWU="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1456385040274000,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1456385040274000,"pkt":"xCwDBkn+LFbcjDU0CABFCAAwPfxAAHARRu1S83ErwKgBBf3Jn\/8AHJxJQQBTAhDusvAAAAAAAAAAAOf1AAA="}
-01911{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385041276103,"flow_dst_last_pkt_time":1456385041181191,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":14142,"flow_dst_tot_l4_payload_len":872,"midstream":0,"thread_ts_usec":1456385041276103,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":959,"avg":411920.3,"max":5430275,"stddev":1202360.0,"var":1445669502976.0,"ent":2.4,"data": [4392194,1037924,5430275,116819,116920,100471,240441,139898,4463,110556,115010,959,58628,60551,88152,88141,37493,37665,24480,24365,43679,55465,11575,11793,11863,53659,52777,104119,173318,8337,17540,0]},"pktlen": {"min":62,"avg":511.2,"max":1514,"stddev":600.8,"var":360942.7,"ent":4.1,"data": [146,146,62,72,252,519,62,62,117,271,62,62,146,1514,68,1514,68,1514,68,1514,68,96,1514,68,1514,68,1514,62,62,1051,1051,1051]},"bins": {"c_to_s": [3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0],"s_to_c": [11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01909{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385041276103,"flow_dst_last_pkt_time":1456385041181191,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":14142,"flow_dst_tot_l4_payload_len":872,"midstream":0,"thread_ts_usec":1456385041276103,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":959,"avg":411920.3,"max":5430275,"stddev":1202360.0,"var":1445669502976.0,"ent":2.4,"data": [4392194,1037924,5430275,116819,116920,100471,240441,139898,4463,110556,115010,959,58628,60551,88152,88141,37493,37665,24480,24365,43679,55465,11575,11793,11863,53659,52777,104119,173318,8337,17540]},"pktlen": {"min":62,"avg":511.2,"max":1514,"stddev":600.8,"var":360942.7,"ent":4.1,"data": [146,146,62,72,252,519,62,62,117,271,62,62,146,1514,68,1514,68,1514,68,1514,68,96,1514,68,1514,68,1514,62,62,1051,1051,1051]},"bins": {"c_to_s": [3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0],"s_to_c": [11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 01058{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":86,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":47,"flow_dst_packets_processed":39,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385044298958,"flow_dst_last_pkt_time":1456385054059812,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":34679,"flow_dst_tot_l4_payload_len":3198,"midstream":0,"thread_ts_usec":1456385054059812,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":86,"source":"bittorrent_utp.pcap","alias":"nDPId-test","packets-captured":86,"packets-processed":86,"total-skipped-flows":0,"total-l4-payload-len":37877,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1456385054059812}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6300323 bytes
-~~ total memory freed........: 6300323 bytes
+~~ total memory allocated....: 6300319 bytes
+~~ total memory freed........: 6300319 bytes
 ~~ total allocations/frees...: 121575/121575
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
-~~ json string max len.......: 1916 chars
-~~ json string avg len.......: 1149 chars
+~~ json string max len.......: 1914 chars
+~~ json string avg len.......: 1148 chars
diff --git a/test/results/bjnp.pcap.out b/test/results/bjnp.pcap.out
index d3b0b1ecd..9abdac0a1 100644
--- a/test/results/bjnp.pcap.out
+++ b/test/results/bjnp.pcap.out
@@ -49,8 +49,8 @@
 ~~ total active/idle flows...: 10/10
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6050587 bytes
-~~ total memory freed........: 6050587 bytes
+~~ total memory allocated....: 6050547 bytes
+~~ total memory freed........: 6050547 bytes
 ~~ total allocations/frees...: 121587/121587
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/bot.pcap.out b/test/results/bot.pcap.out
index fe2559e3d..881e3e761 100644
--- a/test/results/bot.pcap.out
+++ b/test/results/bot.pcap.out
@@ -5,7 +5,7 @@
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1645108240233170,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":66,"pkt_l4_len":28,"thread_ts_usec":1645108240233579,"pkt":"AAAMB6wytJaRl+L8gQAATQgARQAAMAAAQAA\/BspbWR9I3ChNpyQAUP0AWPWTl7cGye1wEnIQNMAAAAIEBbQBAQQC"}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1645108240339696,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":64,"pkt_l4_len":20,"thread_ts_usec":1645108240339696,"pkt":"AFBWtlQQQFU5D63CgQAATQgARQAAKBFTQABuBooQKE2nJFkfSNz9AABQtwbJ7Vj1k5hQEPrw2KMAAKqq+vDYow=="}
 01127{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240339700,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1645108240339700,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"atlanteditorino.it","http": {"url":"atlanteditorino.it\/quartieri\/img\/S.Donato_M.Vittoria1930_B.jpg","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (compatible; bingbot\/2.0; +http:\/\/www.bing.com\/bingbot.htm)","detected_os":"bingbot\/2.0"}}}
-01687{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240455112,"flow_dst_last_pkt_time":1645108240455337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":33120,"midstream":0,"thread_ts_usec":1645108240455337,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":14326.1,"max":114244,"stddev":36180.2,"var":1309009792.0,"ent":2.2,"data": [409,106526,4,106682,7609,64,117,61,7,4,842,8,6,4,114244,282,105363,69,4,6,123,5,6,4,232,8,61,8,763,123,465,0]},"pktlen": {"min":64,"avg":1104.5,"max":1498,"stddev":631.2,"var":398369.0,"ent":4.6,"data": [66,66,64,374,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01685{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240455112,"flow_dst_last_pkt_time":1645108240455337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":33120,"midstream":0,"thread_ts_usec":1645108240455337,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":14326.1,"max":114244,"stddev":36180.2,"var":1309009792.0,"ent":2.2,"data": [409,106526,4,106682,7609,64,117,61,7,4,842,8,6,4,114244,282,105363,69,4,6,123,5,6,4,232,8,61,8,763,123,465]},"pktlen": {"min":64,"avg":1104.5,"max":1498,"stddev":631.2,"var":398369.0,"ent":4.6,"data": [66,66,64,374,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00915{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":402,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":115,"flow_dst_packets_processed":287,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108245896135,"flow_dst_last_pkt_time":1645108245896491,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":406780,"midstream":0,"thread_ts_usec":1645108245896491,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":402,"source":"bot.pcap","alias":"nDPId-test","packets-captured":402,"packets-processed":402,"total-skipped-flows":0,"total-l4-payload-len":407096,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1645108245896491}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047525 bytes
-~~ total memory freed........: 6047525 bytes
+~~ total memory allocated....: 6047521 bytes
+~~ total memory freed........: 6047521 bytes
 ~~ total allocations/frees...: 121894/121894
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1692 chars
-~~ json string avg len.......: 1042 chars
+~~ json string max len.......: 1690 chars
+~~ json string avg len.......: 1041 chars
diff --git a/test/results/bt_search.pcap.out b/test/results/bt_search.pcap.out
index 208ae04b6..eb9913215 100644
--- a/test/results/bt_search.pcap.out
+++ b/test/results/bt_search.pcap.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6297859 bytes
-~~ total memory freed........: 6297859 bytes
+~~ total memory allocated....: 6297855 bytes
+~~ total memory freed........: 6297855 bytes
 ~~ total allocations/frees...: 121490/121490
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/cachefly.pcapng.out b/test/results/cachefly.pcapng.out
index e6302ec15..88c3708d1 100644
--- a/test/results/cachefly.pcapng.out
+++ b/test/results/cachefly.pcapng.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6085310 bytes
-~~ total memory freed........: 6085310 bytes
+~~ total memory allocated....: 6085306 bytes
+~~ total memory freed........: 6085306 bytes
 ~~ total allocations/frees...: 121557/121557
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/capwap.pcap.out b/test/results/capwap.pcap.out
index 7979d97ff..cdb66675f 100644
--- a/test/results/capwap.pcap.out
+++ b/test/results/capwap.pcap.out
@@ -29,7 +29,7 @@
 00645{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1422329005767984,"flow_dst_last_pkt_time":1422329005767224,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":156,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":156,"pkt_l4_len":122,"thread_ts_usec":1422329005767984,"pkt":"uDhh8wWsJOmzR64gCABFwACOANsAAH8RpGDAqAoJwKgKChR+MFwAegAAABACAAAAAAAAAAACAABlAAABACQAAAPoAAAABQIBAAMAQJYAAAEABAcFZgAAQJYAAAAABAEAAAEABAAJQ2lzY28yNTA0BBgABQAAAAAAAAoABsCoCgkAAAAlAAcAQJYAANAAACUACwBAlgAAl1THBF8A"}
 00905{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":24,"source":"capwap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422328949167396,"flow_src_last_pkt_time":1422328949167396,"flow_dst_last_pkt_time":1422328949167396,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":65,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":65,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329005767984,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12379,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1422329005767984,"flow_dst_last_pkt_time":1422329015765658,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"thread_ts_usec":1422329015765658,"pkt":"JOmzR64guDhh8wWsCABFwABlAAVAAP8R5V7AqAoKwKgKCTBcFH4AURfgAQAAABb+\/wAAAAAAAAAAADgBAAAsAAAAAAAAACz+\/1Z4mrz13vIlLHFGU8KNmBPwkXkcj0vpbAEOfTafYoZSAAAABAAvADMBAA=="}
-01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329016659899,"flow_dst_last_pkt_time":1422329016659404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":8579,"flow_dst_tot_l4_payload_len":6468,"midstream":0,"thread_ts_usec":1422329016659899,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":751201.9,"max":10093423,"stddev":2531631.0,"var":6409154985984.0,"ent":1.6,"data": [760,9998434,10093423,96372,2625,2,127,182379,1,94,314122,135275,2746,249,111759,1,157255,1,325739,280124,1,39490,1,39481,264,2133,995,502,500,0,0,0]},"pktlen": {"min":106,"avg":512.2,"max":1499,"stddev":485.4,"var":235625.0,"ent":4.4,"data": [156,156,115,106,147,590,590,360,590,590,179,329,420,137,1499,1499,1499,1451,1035,1451,475,155,123,139,155,139,123,891,155,123,139,875]},"bins": {"c_to_s": [0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0],"s_to_c": [0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0]},"directions": [0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329016659899,"flow_dst_last_pkt_time":1422329016659404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":8579,"flow_dst_tot_l4_payload_len":6468,"midstream":0,"thread_ts_usec":1422329016659899,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":751201.9,"max":10093423,"stddev":2531631.0,"var":6409154985984.0,"ent":1.6,"data": [760,9998434,10093423,96372,2625,2,127,182379,1,94,314122,135275,2746,249,111759,1,157255,1,325739,280124,1,39490,1,39481,264,2133,995,502,500]},"pktlen": {"min":106,"avg":512.2,"max":1499,"stddev":485.4,"var":235625.0,"ent":4.4,"data": [156,156,115,106,147,590,590,360,590,590,179,329,420,137,1499,1499,1499,1451,1035,1451,475,155,123,139,155,139,123,891,155,123,139,875]},"bins": {"c_to_s": [0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0],"s_to_c": [0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0]},"directions": [0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329017533285,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1422329017533285,"pkt":"JOmzR64guDhh8wWsCABFwABsAAFAAEARpFzAqAoKwKgKCTBcFH8AWAAAACADIAAAAAABBAAAAAAAAABAAABYCiBpDiAAAAAAAABYCiBpDiAAAN0JAECWJQEFKDMU3RsAQJYlAAEcq6fyE50AAEcACwAFJ\/9UIA8C1d0="}
 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329017533285,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -38,7 +38,7 @@
 00760{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":176,"source":"capwap.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1422328963915032,"flow_src_last_pkt_time":1422328966914891,"flow_dst_last_pkt_time":1422328963915032,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":41,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":82,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329025532954,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"255.255.255.255","src_port":49259,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00186{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":192,"source":"capwap.pcap","alias":"nDPId-test","layer_type":375,"global_ts_usec":1422329034072795}
 00793{"packet_event_id":1,"packet_event_name":"packet","packet_id":192,"source":"capwap.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":389,"pkt_type":375,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":389,"pkt_l4_len":0,"thread_ts_usec":1422329034032779,"pkt":"AQAMzMzMuDhh8wWsAXeqqgMAAAwgAAK0KHQAAQAUQVBiODM4LjYxZjMuMDVhYwAFAPJDaXNjbyBJT1MgU29mdHdhcmUsIEMyNjAwIFNvZnR3YXJlIChBUDNHMi1LOVc4LU0pLCBWZXJzaW9uIDE1LjIoNClKQTEsIFJFTEVBU0UgU09GVFdBUkUgKGZjMikKVGVjaG5pY2FsIFN1cHBvcnQ6IGh0dHA6Ly93d3cuY2lzY28uY29tL3RlY2hzdXBwb3J0CkNvcHlyaWdodCAoYykgMTk4Ni0yMDEzIGJ5IENpc2NvIFN5c3RlbXMsIEluYy4KQ29tcGlsZWQgVHVlIDMwLUp1bC0xMyAyMjo1NyBieSBwcm9kX3JlbF90ZWFtAAYAG2Npc2NvIEFJUi1DQVAyNjAySS1RLUs5AAIAEQAAAAEBAcwABMCoCgoAAwAWR2lnYWJpdEV0aGVybmV0MC4xAAQACAAAAAMACwAFAQAQAAY8KAAZABCkjQABAAA8KAAAMsg="}
-01792{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329049032294,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":283,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4909,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329049032294,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":499857,"avg":1016097.1,"max":3999845,"stddev":875106.2,"var":765810835456.0,"ent":4.6,"data": [499983,500014,499872,2999961,499995,500031,499980,499982,499890,499986,499975,499998,499999,999998,999993,500014,2999827,1000005,999991,500032,1999814,500016,499990,999989,500017,1499983,499857,1999983,999996,999993,3999845,0]},"pktlen": {"min":122,"avg":195.4,"max":325,"stddev":58.4,"var":3415.7,"ent":4.9,"data": [122,209,296,151,238,151,122,209,325,151,122,122,151,296,151,209,209,296,151,209,122,267,180,209,209,209,267,151,122,209,238,180]},"bins": {"c_to_s": [0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01790{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329049032294,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":283,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4909,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329049032294,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":499857,"avg":1016097.1,"max":3999845,"stddev":875106.2,"var":765810835456.0,"ent":4.6,"data": [499983,500014,499872,2999961,499995,500031,499980,499982,499890,499986,499975,499998,499999,999998,999993,500014,2999827,1000005,999991,500032,1999814,500016,499990,999989,500017,1499983,499857,1999983,999996,999993,3999845]},"pktlen": {"min":122,"avg":195.4,"max":325,"stddev":58.4,"var":3415.7,"ent":4.9,"data": [122,209,296,151,238,151,122,209,325,151,122,122,151,296,151,209,209,296,151,209,122,267,180,209,209,209,267,151,122,209,238,180]},"bins": {"c_to_s": [0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":235,"source":"capwap.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1422329005766358,"flow_src_last_pkt_time":1422329005766854,"flow_dst_last_pkt_time":1422329005766358,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329056532011,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"255.255.255.255","src_port":12380,"dst_port":5246,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":235,"source":"capwap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422328949167396,"flow_src_last_pkt_time":1422328949167396,"flow_dst_last_pkt_time":1422328949167396,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":65,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":65,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329056532011,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12379,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00920{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":235,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":85,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329054811998,"flow_dst_last_pkt_time":1422329054811504,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":19173,"flow_dst_tot_l4_payload_len":19898,"midstream":0,"thread_ts_usec":1422329056532011,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -71,10 +71,10 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6053614 bytes
-~~ total memory freed........: 6053614 bytes
+~~ total memory allocated....: 6053594 bytes
+~~ total memory freed........: 6053594 bytes
 ~~ total allocations/frees...: 121922/121922
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 189 chars
-~~ json string max len.......: 1797 chars
-~~ json string avg len.......: 992 chars
+~~ json string max len.......: 1795 chars
+~~ json string avg len.......: 991 chars
diff --git a/test/results/cassandra.pcap.out b/test/results/cassandra.pcap.out
index 3bbcfbba1..698630575 100644
--- a/test/results/cassandra.pcap.out
+++ b/test/results/cassandra.pcap.out
@@ -10,8 +10,8 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1450889498074112,"flow_dst_last_pkt_time":1450889498074125,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1450889498074125,"pkt":"AAAAAAAAAAAAAAAACABFAAA8AABAAEAGPLp\/AAABfwAAASNStckXl5aGpl5H6aASqqr+MAAAAgT\/1wQCCAon7JNsJ+yTbAEDAwc="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1450889498074133,"flow_dst_last_pkt_time":1450889498074125,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1450889498074133,"pkt":"AAAAAAAAAAAAAAAACABFAAA01IVAAEAGaDx\/AAABfwAAAbXJI1KmXkfpF5eWh4AQAVb+KAAAAQEICifsk2wn7JNs"}
 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":4,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889498080407,"flow_dst_last_pkt_time":1450889498080853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":61,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1450889498080853,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
-01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889525230546,"flow_dst_last_pkt_time":1450889525227132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":321,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":938,"flow_dst_tot_l4_payload_len":59385,"midstream":0,"thread_ts_usec":1450889525230546,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":1754596.9,"max":26002233,"stddev":6369210.5,"var":40566842720256.0,"ent":1.3,"data": [11,19,249,264,5672,5686,233,620,1533,1593,1631,2318,1136,3494,3539,2825,4760,1891,1781,667,2471,2015,1427,3423,25963183,26002233,1164047,1204436,1335,2304,5708,0]},"pktlen": {"min":66,"avg":1951.6,"max":25214,"stddev":5902.9,"var":34844344.0,"ent":2.1,"data": [74,74,66,75,66,127,66,97,75,124,75,167,182,193,11145,66,119,557,387,380,257,66,21816,25214,66,124,66,140,147,139,144,157]},"bins": {"c_to_s": [9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":66,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889535475611,"flow_dst_last_pkt_time":1450889531765769,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":794,"flow_dst_tot_l4_payload_len":12001,"midstream":0,"thread_ts_usec":1450889535475611,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2293327.5,"max":25937061,"stddev":6507358.0,"var":42345709961216.0,"ent":2.0,"data": [13,21,671,688,5291,5315,288,749,1660,4537,3374,25897068,25937061,6031,46634,674,28,18,1162,1117,2315,1239,3343,41722,7689860,7730331,832,186,642,40128,3670158,0]},"pktlen": {"min":66,"avg":466.3,"max":11512,"stddev":1984.7,"var":3939065.0,"ent":1.9,"data": [74,74,66,75,66,127,66,97,75,140,11512,66,201,66,113,140,66,139,66,147,144,66,157,289,66,113,94,66,101,94,66,291]},"bins": {"c_to_s": [10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
+01734{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889525230546,"flow_dst_last_pkt_time":1450889525227132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":321,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":938,"flow_dst_tot_l4_payload_len":59385,"midstream":0,"thread_ts_usec":1450889525230546,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":1754596.9,"max":26002233,"stddev":6369210.5,"var":40566842720256.0,"ent":1.3,"data": [11,19,249,264,5672,5686,233,620,1533,1593,1631,2318,1136,3494,3539,2825,4760,1891,1781,667,2471,2015,1427,3423,25963183,26002233,1164047,1204436,1335,2304,5708]},"pktlen": {"min":66,"avg":1951.6,"max":25214,"stddev":5902.9,"var":34844344.0,"ent":2.1,"data": [74,74,66,75,66,127,66,97,75,124,75,167,182,193,11145,66,119,557,387,380,257,66,21816,25214,66,124,66,140,147,139,144,157]},"bins": {"c_to_s": [9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":66,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889535475611,"flow_dst_last_pkt_time":1450889531765769,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":794,"flow_dst_tot_l4_payload_len":12001,"midstream":0,"thread_ts_usec":1450889535475611,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2293327.5,"max":25937061,"stddev":6507358.0,"var":42345709961216.0,"ent":2.0,"data": [13,21,671,688,5291,5315,288,749,1660,4537,3374,25897068,25937061,6031,46634,674,28,18,1162,1117,2315,1239,3343,41722,7689860,7730331,832,186,642,40128,3670158]},"pktlen": {"min":66,"avg":466.3,"max":11512,"stddev":1984.7,"var":3939065.0,"ent":1.9,"data": [74,74,66,75,66,127,66,97,75,140,11512,66,201,66,113,140,66,139,66,147,144,66,157,289,66,113,94,66,101,94,66,291]},"bins": {"c_to_s": [10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":75,"flow_dst_packets_processed":69,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889698077770,"flow_dst_last_pkt_time":1450889698077758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":4772,"flow_dst_tot_l4_payload_len":73452,"midstream":0,"thread_ts_usec":1450889698077770,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":74,"flow_dst_packets_processed":68,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889698077769,"flow_dst_last_pkt_time":1450889698077759,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":333,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":4963,"flow_dst_tot_l4_payload_len":23921,"midstream":0,"thread_ts_usec":1450889698077770,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","packets-captured":286,"packets-processed":286,"total-skipped-flows":0,"total-l4-payload-len":107108,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1450889698077770}
@@ -23,10 +23,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049663 bytes
-~~ total memory freed........: 6049663 bytes
+~~ total memory allocated....: 6049655 bytes
+~~ total memory freed........: 6049655 bytes
 ~~ total allocations/frees...: 121785/121785
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 1741 chars
-~~ json string avg len.......: 1103 chars
+~~ json string max len.......: 1739 chars
+~~ json string avg len.......: 1102 chars
diff --git a/test/results/check_mk_new.pcap.out b/test/results/check_mk_new.pcap.out
index 8f6a0ca85..46f3adcc3 100644
--- a/test/results/check_mk_new.pcap.out
+++ b/test/results/check_mk_new.pcap.out
@@ -5,7 +5,7 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1512031663734797,"flow_dst_last_pkt_time":1512031663734824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1512031663734824,"pkt":"8soKyPpERjIA9qTsCABFAAA8AABAAEAG8SLAqGQywKhkFhmc5nZuqQJN1XLoOKAScSBJyAAAAgQFtAQCCAoWUVydKwxrPwEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1512031663734985,"flow_dst_last_pkt_time":1512031663734824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1512031663734985,"pkt":"RjIA9qTs8soKyPpECABFEAA0gwlAAEAGbhHAqGQWwKhkMuZ2GZzVcug4bqkCToAQAOVJwAAAAQEICisMaz8WUVyd"}
 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663734985,"flow_dst_last_pkt_time":1512031663736952,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":15,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":15,"midstream":0,"thread_ts_usec":1512031663736952,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
-01668{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663748376,"flow_dst_last_pkt_time":1512031663748413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":502,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1376,"midstream":0,"thread_ts_usec":1512031663748413,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":27,"avg":877.3,"max":2128,"stddev":812.2,"var":659616.6,"ent":4.3,"data": [27,188,2128,2061,102,68,67,104,1865,1834,72,90,1254,1242,147,158,91,94,1228,1205,176,172,1964,1988,1810,1805,1867,1907,699,663,119,0]},"pktlen": {"min":66,"avg":109.5,"max":568,"stddev":116.8,"var":13650.4,"ent":4.5,"data": [74,74,66,81,66,331,66,76,66,67,66,75,66,568,66,75,66,84,66,477,66,82,66,82,66,83,66,79,66,131,66,75]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
+01666{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663748376,"flow_dst_last_pkt_time":1512031663748413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":502,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1376,"midstream":0,"thread_ts_usec":1512031663748413,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":27,"avg":877.3,"max":2128,"stddev":812.2,"var":659616.6,"ent":4.3,"data": [27,188,2128,2061,102,68,67,104,1865,1834,72,90,1254,1242,147,158,91,94,1228,1205,176,172,1964,1988,1810,1805,1867,1907,699,663,119]},"pktlen": {"min":66,"avg":109.5,"max":568,"stddev":116.8,"var":13650.4,"ent":4.5,"data": [74,74,66,81,66,331,66,76,66,67,66,75,66,568,66,75,66,84,66,477,66,82,66,82,66,83,66,79,66,131,66,75]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00923{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":98,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":49,"flow_dst_packets_processed":49,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663775626,"flow_dst_last_pkt_time":1512031663775645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":4096,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":13758,"midstream":0,"thread_ts_usec":1512031663775645,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":98,"source":"check_mk_new.pcap","alias":"nDPId-test","packets-captured":98,"packets-processed":98,"total-skipped-flows":0,"total-l4-payload-len":13758,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1512031663775645}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038487 bytes
-~~ total memory freed........: 6038487 bytes
+~~ total memory allocated....: 6038483 bytes
+~~ total memory freed........: 6038483 bytes
 ~~ total allocations/frees...: 121585/121585
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
-~~ json string max len.......: 1673 chars
+~~ json string max len.......: 1671 chars
 ~~ json string avg len.......: 1030 chars
diff --git a/test/results/chrome.pcap.out b/test/results/chrome.pcap.out
index 85e33e801..bb706e326 100644
--- a/test/results/chrome.pcap.out
+++ b/test/results/chrome.pcap.out
@@ -11,7 +11,7 @@
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1620902508740717,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620902508769205,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7+4peZebaYG3EqKAS\/og23AAAAgQFrAQCCAo6mxi5M3SVkQEDAwc="}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1620902508769277,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620902508769277,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EvuKAbtgbcSoXmXm24AQECxT5gAAAQEICjN0lag6mxi5"}
 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902508769889,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902508769889,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902508741011,"flow_dst_last_pkt_time":1620902508774460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1998,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620902508774460,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":57251.0,"max":629043,"stddev":154280.9,"var":23802585088.0,"ent":2.4,"data": [28765,28872,339,29774,6968,212,36564,499,471,13592,322,42282,28,185,11,28620,3,627868,1163,629043,92,171,257,86,255,319,1121,131143,160052,5604,100,0]},"pktlen": {"min":66,"avg":619.4,"max":1506,"stddev":632.9,"var":400560.7,"ent":4.2,"data": [78,74,66,583,66,1506,1506,66,772,66,146,816,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,717,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902508741011,"flow_dst_last_pkt_time":1620902508774460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1998,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620902508774460,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":57251.0,"max":629043,"stddev":154280.9,"var":23802585088.0,"ent":2.4,"data": [28765,28872,339,29774,6968,212,36564,499,471,13592,322,42282,28,185,11,28620,3,627868,1163,629043,92,171,257,86,255,319,1121,131143,160052,5604,100]},"pktlen": {"min":66,"avg":619.4,"max":1506,"stddev":632.9,"var":400560.7,"ent":4.2,"data": [78,74,66,583,66,1506,1506,66,772,66,146,816,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,717,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 01140{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902508769889,"flow_dst_last_pkt_time":1620902508800346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902508800346,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":74,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509272814,"flow_dst_last_pkt_time":1620902509272814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509272814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1620902509272814,"flow_dst_last_pkt_time":1620902509272814,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620902509272814,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EvuYAbvjd2YSAAAAALAC\/\/+WlQAAAgQFtAEDAwUBAQgKM3SXeAAAAAAEAgAA"}
@@ -33,19 +33,19 @@
 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":115,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509303683,"flow_dst_last_pkt_time":1620902509302592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509303683,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":116,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509304055,"flow_dst_last_pkt_time":1620902509302720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509304055,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":117,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509304589,"flow_dst_last_pkt_time":1620902509303215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509304589,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":111,"avg":37950.2,"max":468764,"stddev":110334.2,"var":12173627392.0,"ent":2.3,"data": [28488,28560,612,28383,2758,30530,2041,28373,116,26422,441785,468764,1748,1393,30158,119,111,182,125,120,237,134,128,266,240,251,495,806,26027,25276,1809,0]},"pktlen": {"min":66,"avg":631.1,"max":1506,"stddev":638.0,"var":407026.8,"ent":4.2,"data": [78,74,66,701,66,326,66,146,66,369,66,783,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,66,1029,66,770]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0]}}
+01573{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":111,"avg":37950.2,"max":468764,"stddev":110334.2,"var":12173627392.0,"ent":2.3,"data": [28488,28560,612,28383,2758,30530,2041,28373,116,26422,441785,468764,1748,1393,30158,119,111,182,125,120,237,134,128,266,240,251,495,806,26027,25276,1809]},"pktlen": {"min":66,"avg":631.1,"max":1506,"stddev":638.0,"var":407026.8,"ent":4.2,"data": [78,74,66,701,66,326,66,146,66,369,66,783,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,66,1029,66,770]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0]}}
 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01141{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509303389,"flow_dst_last_pkt_time":1620902509333977,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902509333977,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01141{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":132,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509303683,"flow_dst_last_pkt_time":1620902509335101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902509335101,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01143{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":136,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509304589,"flow_dst_last_pkt_time":1620902509338226,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620902509338226,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01143{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":143,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509304055,"flow_dst_last_pkt_time":1620902509342220,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620902509342220,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01545{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6344.3,"max":34983,"stddev":11244.6,"var":126440648.0,"ent":3.1,"data": [26769,26817,1326,28249,6762,1293,14,34983,12,374,291,27566,2,26902,1379,1360,1118,15,1124,130,231,245,356,130,118,13,252,11,746,1742,0,0]},"pktlen": {"min":66,"avg":542.7,"max":1506,"stddev":598.4,"var":358096.1,"ent":4.1,"data": [78,74,66,583,66,1506,1506,772,66,66,146,772,66,369,66,66,369,66,1506,1506,66,66,1506,1506,66,1506,1506,412,66,66,66,820]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0]}}
+01541{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6344.3,"max":34983,"stddev":11244.6,"var":126440648.0,"ent":3.1,"data": [26769,26817,1326,28249,6762,1293,14,34983,12,374,291,27566,2,26902,1379,1360,1118,15,1124,130,231,245,356,130,118,13,252,11,746,1742]},"pktlen": {"min":66,"avg":542.7,"max":1506,"stddev":598.4,"var":358096.1,"ent":4.1,"data": [78,74,66,583,66,1506,1506,772,66,66,146,772,66,369,66,66,369,66,1506,1506,66,66,1506,1506,66,1506,1506,412,66,66,66,820]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0]}}
 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":7853.2,"max":30653,"stddev":12089.6,"var":146159520.0,"ent":3.4,"data": [29278,29334,864,29011,2497,30653,580,334,26242,1058,2318,28687,1760,236,1984,377,499,883,126,124,243,136,114,251,129,941,26868,117,26169,1503,132,0]},"pktlen": {"min":66,"avg":713.6,"max":1506,"stddev":675.5,"var":456346.8,"ent":4.3,"data": [78,74,66,701,66,326,66,146,772,66,66,369,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,1506,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1]}}
+01564{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":7853.2,"max":30653,"stddev":12089.6,"var":146159520.0,"ent":3.4,"data": [29278,29334,864,29011,2497,30653,580,334,26242,1058,2318,28687,1760,236,1984,377,499,883,126,124,243,136,114,251,129,941,26868,117,26169,1503,132]},"pktlen": {"min":66,"avg":713.6,"max":1506,"stddev":675.5,"var":456346.8,"ent":4.3,"data": [78,74,66,701,66,326,66,146,772,66,66,369,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,1506,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1]}}
 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01553{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7279.5,"max":38324,"stddev":12250.6,"var":150076944.0,"ent":3.2,"data": [28686,28726,1295,29880,9620,122,15,38324,11,451,233,27995,116,117,14,27547,3,1242,1253,2514,126,125,241,123,122,245,249,230,376,396,25266,0]},"pktlen": {"min":66,"avg":643.3,"max":1506,"stddev":651.9,"var":424923.8,"ent":4.2,"data": [78,74,66,583,66,1506,1506,772,66,66,146,772,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,66,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1]}}
+01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7279.5,"max":38324,"stddev":12250.6,"var":150076944.0,"ent":3.2,"data": [28686,28726,1295,29880,9620,122,15,38324,11,451,233,27995,116,117,14,27547,3,1242,1253,2514,126,125,241,123,122,245,249,230,376,396,25266]},"pktlen": {"min":66,"avg":643.3,"max":1506,"stddev":651.9,"var":424923.8,"ent":4.2,"data": [78,74,66,583,66,1506,1506,772,66,66,146,772,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,66,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1]}}
 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01554{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8151.5,"max":32013,"stddev":12799.0,"var":163814464.0,"ent":3.3,"data": [29778,29819,1050,30027,2482,31460,377,194,32013,8,1,31458,983,109,1078,130,153,122,98,131,118,249,502,124,630,126,1459,27278,100,26052,4586,0]},"pktlen": {"min":66,"avg":623.7,"max":1506,"stddev":634.7,"var":402848.7,"ent":4.2,"data": [78,74,66,701,66,326,66,146,772,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,799,66,775]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]}}
+01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8151.5,"max":32013,"stddev":12799.0,"var":163814464.0,"ent":3.3,"data": [29778,29819,1050,30027,2482,31460,377,194,32013,8,1,31458,983,109,1078,130,153,122,98,131,118,249,502,124,630,126,1459,27278,100,26052,4586]},"pktlen": {"min":66,"avg":623.7,"max":1506,"stddev":634.7,"var":402848.7,"ent":4.2,"data": [78,74,66,701,66,326,66,146,772,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,799,66,775]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]}}
 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5633,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":374,"flow_dst_packets_processed":488,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902514626667,"flow_dst_last_pkt_time":1620902514626583,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6885,"flow_dst_tot_l4_payload_len":681088,"midstream":0,"thread_ts_usec":1620902515049384,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5633,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":472,"flow_dst_packets_processed":662,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902515037845,"flow_dst_last_pkt_time":1620902515037814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":726,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6421,"flow_dst_tot_l4_payload_len":923694,"midstream":0,"thread_ts_usec":1620902515049384,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -62,10 +62,10 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6653303 bytes
-~~ total memory freed........: 6653303 bytes
+~~ total memory allocated....: 6653279 bytes
+~~ total memory freed........: 6653279 bytes
 ~~ total allocations/frees...: 127247/127247
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1702 chars
-~~ json string avg len.......: 1095 chars
+~~ json string max len.......: 1700 chars
+~~ json string avg len.......: 1094 chars
diff --git a/test/results/citrix.pcap.out b/test/results/citrix.pcap.out
index 7162d7ee3..e7ec89712 100644
--- a/test/results/citrix.pcap.out
+++ b/test/results/citrix.pcap.out
@@ -4,7 +4,7 @@
 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":0,"flow_dst_last_pkt_time":2099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":24,"thread_ts_usec":2099,"pkt":"ABUXp3Wj4F+5aekiCABFAAAsrVIAAH4GZGsWAAAHFQAACAXWsKkP1nFlD9ZnuWASgAA9vQAAAgQFtAAA3WOanQ=="}
 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":2106,"flow_dst_last_pkt_time":2099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":20,"thread_ts_usec":2106,"pkt":"4F+5aekiABUXp3WjCABFAAAorYQAAIAGYj0VAAAIFgAAB7CpBdYP1me5D9ZxZlAQgABVegAAAAAAAAAAIuNIFQ=="}
 00801{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":0,"flow_src_last_pkt_time":2106,"flow_dst_last_pkt_time":8192,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":6,"midstream":0,"thread_ts_usec":8192,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":0,"flow_src_last_pkt_time":72692,"flow_dst_last_pkt_time":72684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":343,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":1670,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":72692,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":4689.5,"max":56256,"stddev":12448.2,"var":154958800.0,"ent":2.6,"data": [2099,2106,6093,6094,4120,7122,1007,6,6,6,6,1006,1007,7,5,13,6,1007,6,5,2009,7,5,6,5,1007,5,56256,46119,4116,4114,0]},"pktlen": {"min":64,"avg":114.3,"max":401,"stddev":63.6,"var":4041.6,"ent":4.8,"data": [64,64,64,64,64,76,212,121,101,102,105,401,97,225,109,147,117,111,109,117,112,97,97,97,114,117,111,109,142,64,64,64]},"bins": {"c_to_s": [5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":0,"flow_src_last_pkt_time":72692,"flow_dst_last_pkt_time":72684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":343,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":1670,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":72692,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":4689.5,"max":56256,"stddev":12448.2,"var":154958800.0,"ent":2.6,"data": [2099,2106,6093,6094,4120,7122,1007,6,6,6,6,1006,1007,7,5,13,6,1007,6,5,2009,7,5,6,5,1007,5,56256,46119,4116,4114]},"pktlen": {"min":64,"avg":114.3,"max":401,"stddev":63.6,"var":4041.6,"ent":4.8,"data": [64,64,64,64,64,76,212,121,101,102,105,401,97,225,109,147,117,111,109,117,112,97,97,97,114,117,111,109,142,64,64,64]},"bins": {"c_to_s": [5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00863{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":75,"flow_dst_packets_processed":25,"flow_first_seen":0,"flow_src_last_pkt_time":1581384,"flow_dst_last_pkt_time":1605466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":855,"flow_dst_max_l4_payload_len":537,"flow_src_tot_l4_payload_len":3874,"flow_dst_tot_l4_payload_len":1616,"midstream":0,"thread_ts_usec":1605466,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00551{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"citrix.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":5490,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1605466}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -15,10 +15,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038545 bytes
-~~ total memory freed........: 6038545 bytes
+~~ total memory allocated....: 6038541 bytes
+~~ total memory freed........: 6038541 bytes
 ~~ total allocations/frees...: 121587/121587
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 483 chars
-~~ json string max len.......: 1604 chars
-~~ json string avg len.......: 988 chars
+~~ json string max len.......: 1602 chars
+~~ json string avg len.......: 987 chars
diff --git a/test/results/cloudflare-warp.pcap.out b/test/results/cloudflare-warp.pcap.out
index 63b6e120a..6eee99643 100644
--- a/test/results/cloudflare-warp.pcap.out
+++ b/test/results/cloudflare-warp.pcap.out
@@ -58,8 +58,8 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6071349 bytes
-~~ total memory freed........: 6071349 bytes
+~~ total memory allocated....: 6071317 bytes
+~~ total memory freed........: 6071317 bytes
 ~~ total allocations/frees...: 121643/121643
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/coap_mqtt.pcap.out b/test/results/coap_mqtt.pcap.out
index c7633aa81..c8f5bc7b6 100644
--- a/test/results/coap_mqtt.pcap.out
+++ b/test/results/coap_mqtt.pcap.out
@@ -67,29 +67,29 @@
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1455907271483430,"flow_dst_last_pkt_time":1455907271485428,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1455907271485428,"pkt":"CAAnmO\/hCAAnAERyCABFAAAsEMdAAIAG+E3AqDgBwKg4ZdEURF3FmLqAlt6Sd1AYAP++LAAAQAIAAgAA"}
 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1455907271522028,"flow_dst_last_pkt_time":1455907271485428,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1455907271522028,"pkt":"CAAnAERyCAAnmO\/hCABFAAAo1KhAAEAGdHDAqDhlwKg4AURd0RSW3pJ3xZi6hFAQAOXx0QAA"}
 00626{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1455907271585820,"flow_dst_last_pkt_time":1455907271483762,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"thread_ts_usec":1455907271585820,"pkt":"CAAnmO\/hCAAnAERyCABFAAB7EM0AAIARN+7AqDgBwKg4ZcSHRFwAZzJrQgM1Anj4ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjExIEVFVCAyMDE2In0="}
-01842{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1455907267002212,"flow_src_last_pkt_time":1455907271697274,"flow_dst_last_pkt_time":1455907271735420,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":286,"flow_dst_tot_l4_payload_len":367,"midstream":0,"thread_ts_usec":1455907271735420,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53528,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":304137.8,"max":4438876,"stddev":1061040.8,"var":1125807423488.0,"ent":1.6,"data": [72,248,4635,4859,1038,9311,9054,2795,3496,481,2352,21820,23421,198700,4438876,4242440,38504,37941,469,2294,62501,64983,1232,38696,37823,527,2778,66747,69695,1087,39395,0]},"pktlen": {"min":54,"avg":76.3,"max":140,"stddev":30.1,"var":907.0,"ent":4.9,"data": [66,66,60,73,54,58,114,58,69,59,138,60,114,58,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
-01855{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":162,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907243976582,"flow_src_last_pkt_time":1455907271915318,"flow_dst_last_pkt_time":1455907271915135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53522,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":1802493.1,"max":27505948,"stddev":6724537.0,"var":45219399598080.0,"ent":1.2,"data": [709,199149,27505948,27310358,42735,39960,130,529,60417,61165,1588,38934,37729,553,2947,66282,69491,1247,39646,39140,1019,2437,62744,65305,1790,40465,38726,170,6175,66713,73088,0]},"pktlen": {"min":54,"avg":77.4,"max":140,"stddev":32.8,"var":1072.6,"ent":4.9,"data": [60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
-01854{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":163,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907258332152,"flow_src_last_pkt_time":1455907271915337,"flow_dst_last_pkt_time":1455907271915223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915337,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53523,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":237,"avg":876330.8,"max":13150790,"stddev":3197714.5,"var":10225378656256.0,"ent":1.4,"data": [404,199934,13150790,12952309,38608,37989,477,2148,62571,64954,1016,38807,38093,501,2594,66803,69615,1179,39541,39110,979,2406,62938,65497,773,40198,39480,237,5592,67477,73236,0]},"pktlen": {"min":54,"avg":77.4,"max":140,"stddev":32.8,"var":1072.6,"ent":4.9,"data": [60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
-01835{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":184,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1455907271483430,"flow_src_last_pkt_time":1455907271957948,"flow_dst_last_pkt_time":1455907271958031,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":60,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":320,"midstream":1,"thread_ts_usec":1455907271958031,"l3_proto":"ip4","src_ip":"192.168.56.101","dst_ip":"192.168.56.1","src_port":17501,"dst_port":53524,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":30616.7,"max":73508,"stddev":26730.8,"var":714536192.0,"ent":4.3,"data": [1998,38598,37069,480,2447,62266,64859,841,38683,38127,461,2290,67273,69748,665,39428,39498,931,2251,63248,65640,1623,40275,38699,156,6124,67250,73508,2463,42357,39863,0]},"pktlen": {"min":54,"avg":79.0,"max":140,"stddev":33.2,"var":1105.2,"ent":4.9,"data": [140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114]},"bins": {"c_to_s": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
+01840{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1455907267002212,"flow_src_last_pkt_time":1455907271697274,"flow_dst_last_pkt_time":1455907271735420,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":286,"flow_dst_tot_l4_payload_len":367,"midstream":0,"thread_ts_usec":1455907271735420,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53528,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":304137.8,"max":4438876,"stddev":1061040.8,"var":1125807423488.0,"ent":1.6,"data": [72,248,4635,4859,1038,9311,9054,2795,3496,481,2352,21820,23421,198700,4438876,4242440,38504,37941,469,2294,62501,64983,1232,38696,37823,527,2778,66747,69695,1087,39395]},"pktlen": {"min":54,"avg":76.3,"max":140,"stddev":30.1,"var":907.0,"ent":4.9,"data": [66,66,60,73,54,58,114,58,69,59,138,60,114,58,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
+01853{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":162,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907243976582,"flow_src_last_pkt_time":1455907271915318,"flow_dst_last_pkt_time":1455907271915135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53522,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":1802493.1,"max":27505948,"stddev":6724537.0,"var":45219399598080.0,"ent":1.2,"data": [709,199149,27505948,27310358,42735,39960,130,529,60417,61165,1588,38934,37729,553,2947,66282,69491,1247,39646,39140,1019,2437,62744,65305,1790,40465,38726,170,6175,66713,73088]},"pktlen": {"min":54,"avg":77.4,"max":140,"stddev":32.8,"var":1072.6,"ent":4.9,"data": [60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
+01852{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":163,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907258332152,"flow_src_last_pkt_time":1455907271915337,"flow_dst_last_pkt_time":1455907271915223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915337,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53523,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":237,"avg":876330.8,"max":13150790,"stddev":3197714.5,"var":10225378656256.0,"ent":1.4,"data": [404,199934,13150790,12952309,38608,37989,477,2148,62571,64954,1016,38807,38093,501,2594,66803,69615,1179,39541,39110,979,2406,62938,65497,773,40198,39480,237,5592,67477,73236]},"pktlen": {"min":54,"avg":77.4,"max":140,"stddev":32.8,"var":1072.6,"ent":4.9,"data": [60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
+01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":184,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1455907271483430,"flow_src_last_pkt_time":1455907271957948,"flow_dst_last_pkt_time":1455907271958031,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":60,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":320,"midstream":1,"thread_ts_usec":1455907271958031,"l3_proto":"ip4","src_ip":"192.168.56.101","dst_ip":"192.168.56.1","src_port":17501,"dst_port":53524,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":30616.7,"max":73508,"stddev":26730.8,"var":714536192.0,"ent":4.3,"data": [1998,38598,37069,480,2447,62266,64859,841,38683,38127,461,2290,67273,69748,665,39428,39498,931,2251,63248,65640,1623,40275,38699,156,6124,67250,73508,2463,42357,39863]},"pktlen": {"min":54,"avg":79.0,"max":140,"stddev":33.2,"var":1105.2,"ent":4.9,"data": [140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114]},"bins": {"c_to_s": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00627{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"thread_ts_usec":1455907272856457,"pkt":"CAAnmO\/hCAAnAERyCABFAAB7EWkAAIARN1LAqDgBwKg4ZcSORFwAZ7scQgMdqQeYckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjEyIEVFVCAyMDE2In0="}
 00870{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1455907272858898,"pkt":"CAAnAERyCAAnmO\/hCABFAAAuXhFAAEAR6vbAqDhlwKg4AURcxI4AGvHiYkQdqQeYiy9yL0J1czE3Q21k"}
 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":489,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1455907272969405,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907272969405,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/EYMAAIARNzTAqDgBwKg4ZcSORFwAa8WlRgMdqhF5z0YYRXJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxMyBFRVQgMjAxNiJ9"}
-01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":588,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114,0]},"pktlen": {"min":59,"avg":99.6,"max":143,"stddev":38.6,"var":1486.7,"ent":4.9,"data": [138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":588,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114]},"pktlen": {"min":59,"avg":99.6,"max":143,"stddev":38.6,"var":1486.7,"ent":4.9,"data": [138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1455907274088318,"pkt":"CAAnmO\/hCAAnAERyCABFAAB9EncAAIARNkLAqDgBwKg4ZcSIRFwAaR7GRANSj9XGl0FyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTQgRUVUIDIwMTYifQ=="}
 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1042,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1455907274089637,"pkt":"CAAnAERyCAAnmO\/hCABFAAAwXqNAAEAR6mLAqDhlwKg4AURcxIgAHPHkZERSj9XGl0GLL3IvQnVzMTdDbWQ="}
 00636{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1083,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1455907274193327,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"thread_ts_usec":1455907274193327,"pkt":"CAAnmO\/hCAAnAERyCABFAACBEpIAAIARNiPAqDgBwKg4ZcSIRFwAbeMnSANSkLugNTWCkTE2ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjE0IEVFVCAyMDE2In0="}
-01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1308,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708,0]},"pktlen": {"min":60,"avg":100.5,"max":142,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1308,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708]},"pktlen": {"min":60,"avg":100.5,"max":142,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00635{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907275690777,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/FCAAAIARNJfAqDgBwKg4ZcSPRFwAa2JLRgOAZtDWwMpn\/nJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxNSBFRVQgMjAxNiJ9"}
 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1936,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"thread_ts_usec":1455907275695868,"pkt":"CAAnAERyCAAnmO\/hCABFAAAyX35AAEAR6YXAqDhlwKg4AURcxI8AHvHmZkSAZtDWwMpn\/osvci9CdXMxN0NtZA=="}
 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2015,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1455907275831283,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1455907275831283,"pkt":"CAAnmO\/hCAAnAERyCABFAACAFEwAAIARNGrAqDgBwKg4ZcSPRFwAbLkURwOAZ6ExGoh1VzNyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTUgRUVUIDIwMTYifQ=="}
-01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2067,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537,0]},"pktlen": {"min":60,"avg":101.2,"max":143,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3210,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564,0]},"pktlen": {"min":59,"avg":101.1,"max":143,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2067,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537]},"pktlen": {"min":60,"avg":101.2,"max":143,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3210,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564]},"pktlen": {"min":59,"avg":101.1,"max":143,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907282684236,"flow_dst_last_pkt_time":1455907282686487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9710,"flow_dst_tot_l4_payload_len":2010,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907285180257,"flow_dst_last_pkt_time":1455907285181466,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9747,"flow_dst_tot_l4_payload_len":2047,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907284043615,"flow_dst_last_pkt_time":1455907284046276,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9760,"flow_dst_tot_l4_payload_len":2060,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -107,10 +107,10 @@
 ~~ total active/idle flows...: 16/16
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6315163 bytes
-~~ total memory freed........: 6315163 bytes
+~~ total memory allocated....: 6315099 bytes
+~~ total memory freed........: 6315099 bytes
 ~~ total allocations/frees...: 130155/130155
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 1860 chars
-~~ json string avg len.......: 1176 chars
+~~ json string max len.......: 1858 chars
+~~ json string avg len.......: 1175 chars
diff --git a/test/results/collectd.pcap.out b/test/results/collectd.pcap.out
index c90cb6a1d..d05658942 100644
--- a/test/results/collectd.pcap.out
+++ b/test/results/collectd.pcap.out
@@ -41,7 +41,7 @@
 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":29,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315463990790,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23962,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315463990790,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":35,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315513990834,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":31897,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315513990834,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":41,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315563990487,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39897,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315563990487,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
-01846{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315583990823,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42548,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315583990823,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":417,"avg":8709655.0,"max":10000474,"stddev":3352121.2,"var":11236716576768.0,"ent":4.8,"data": [9999043,10000474,9999533,9999908,9999948,529,9999990,10000110,9999700,10000036,9999885,10000020,417,9999778,9999931,10000097,9999852,9999817,10000085,761,9999588,9999630,10000163,10000066,9999926,9999713,640,10000064,9999244,10000446,9999890,0]},"pktlen": {"min":1353,"avg":1371.6,"max":1388,"stddev":10.8,"var":116.6,"ent":5.0,"data": [1385,1365,1371,1361,1365,1355,1369,1388,1379,1385,1386,1380,1386,1368,1375,1376,1353,1371,1368,1353,1365,1364,1367,1370,1384,1361,1381,1383,1388,1355,1359,1376]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01844{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315583990823,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42548,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315583990823,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":417,"avg":8709655.0,"max":10000474,"stddev":3352121.2,"var":11236716576768.0,"ent":4.8,"data": [9999043,10000474,9999533,9999908,9999948,529,9999990,10000110,9999700,10000036,9999885,10000020,417,9999778,9999931,10000097,9999852,9999817,10000085,761,9999588,9999630,10000163,10000066,9999926,9999713,640,10000064,9999244,10000446,9999890]},"pktlen": {"min":1353,"avg":1371.6,"max":1388,"stddev":10.8,"var":116.6,"ent":5.0,"data": [1385,1365,1371,1361,1365,1355,1369,1388,1379,1385,1386,1380,1386,1368,1375,1376,1353,1371,1368,1353,1365,1364,1367,1370,1384,1361,1381,1383,1388,1355,1359,1376]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":48,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315623990962,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49178,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315623990962,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315683990797,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":58483,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315683990797,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"collectd.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655315734133371,"flow_src_last_pkt_time":1655315734133371,"flow_dst_last_pkt_time":1655315734133371,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1334,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1334,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315734133371,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":36832,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -72,8 +72,8 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6050934 bytes
-~~ total memory freed........: 6050934 bytes
+~~ total memory allocated....: 6050898 bytes
+~~ total memory freed........: 6050898 bytes
 ~~ total allocations/frees...: 121645/121645
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/corba.pcap.out b/test/results/corba.pcap.out
index 9a4ffe632..d4a197a14 100644
--- a/test/results/corba.pcap.out
+++ b/test/results/corba.pcap.out
@@ -27,8 +27,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045683 bytes
-~~ total memory freed........: 6045683 bytes
+~~ total memory allocated....: 6045671 bytes
+~~ total memory freed........: 6045671 bytes
 ~~ total allocations/frees...: 121532/121532
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/cpha.pcap.out b/test/results/cpha.pcap.out
index e6ff514c1..dd107c713 100644
--- a/test/results/cpha.pcap.out
+++ b/test/results/cpha.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035646 bytes
-~~ total memory freed........: 6035646 bytes
+~~ total memory allocated....: 6035642 bytes
+~~ total memory freed........: 6035642 bytes
 ~~ total allocations/frees...: 121487/121487
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/crynet.pcap.out b/test/results/crynet.pcap.out
index 3ea6a1646..43048473c 100644
--- a/test/results/crynet.pcap.out
+++ b/test/results/crynet.pcap.out
@@ -36,8 +36,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042269 bytes
-~~ total memory freed........: 6042269 bytes
+~~ total memory allocated....: 6042253 bytes
+~~ total memory freed........: 6042253 bytes
 ~~ total allocations/frees...: 121577/121577
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/dazn.pcapng.out b/test/results/dazn.pcapng.out
index 43e38502c..506f795b2 100644
--- a/test/results/dazn.pcapng.out
+++ b/test/results/dazn.pcapng.out
@@ -30,8 +30,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6051621 bytes
-~~ total memory freed........: 6051621 bytes
+~~ total memory allocated....: 6051609 bytes
+~~ total memory freed........: 6051609 bytes
 ~~ total allocations/frees...: 121531/121531
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/dcerpc.pcap.out b/test/results/dcerpc.pcap.out
index 31b002664..f58914f6c 100644
--- a/test/results/dcerpc.pcap.out
+++ b/test/results/dcerpc.pcap.out
@@ -31,8 +31,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040993 bytes
-~~ total memory freed........: 6040993 bytes
+~~ total memory allocated....: 6040977 bytes
+~~ total memory freed........: 6040977 bytes
 ~~ total allocations/frees...: 121533/121533
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/dhcp-fuzz.pcapng.out b/test/results/dhcp-fuzz.pcapng.out
index 240a126c7..ea9633d16 100644
--- a/test/results/dhcp-fuzz.pcapng.out
+++ b/test/results/dhcp-fuzz.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035646 bytes
-~~ total memory freed........: 6035646 bytes
+~~ total memory allocated....: 6035642 bytes
+~~ total memory freed........: 6035642 bytes
 ~~ total allocations/frees...: 121487/121487
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
diff --git a/test/results/diameter.pcap.out b/test/results/diameter.pcap.out
index b109e0e8d..768bc6253 100644
--- a/test/results/diameter.pcap.out
+++ b/test/results/diameter.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035819 bytes
-~~ total memory freed........: 6035819 bytes
+~~ total memory allocated....: 6035815 bytes
+~~ total memory freed........: 6035815 bytes
 ~~ total allocations/frees...: 121493/121493
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/discord.pcap.out b/test/results/discord.pcap.out
index cc0affbb0..e6f876893 100644
--- a/test/results/discord.pcap.out
+++ b/test/results/discord.pcap.out
@@ -268,8 +268,8 @@
 ~~ total active/idle flows...: 34/34
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6108288 bytes
-~~ total memory freed........: 6108288 bytes
+~~ total memory allocated....: 6108152 bytes
+~~ total memory freed........: 6108152 bytes
 ~~ total allocations/frees...: 122238/122238
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/dnp3.pcap.out b/test/results/dnp3.pcap.out
index 503b0e4fa..a0f184019 100644
--- a/test/results/dnp3.pcap.out
+++ b/test/results/dnp3.pcap.out
@@ -5,14 +5,14 @@
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1097501938503079,"flow_dst_last_pkt_time":1097501938503079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097501938503079,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTFlAAIAGmmQKAAAICgAAAwrlTiBVHBrSAAAAAHAC\/\/+mIQAAAgQFtAEBBAI="}
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1097501938503079,"flow_dst_last_pkt_time":1097501938503079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097501938503079,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTFlAAIAGmmQKAAAICgAAAwrlTiBVHBrSAAAAAHAC\/\/+mIQAAAgQFtAEBBAI="}
 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097501938503490,"flow_dst_last_pkt_time":1097501938504844,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097501938504844,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01633{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502061905496,"flow_dst_last_pkt_time":1097501941569134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097502061905496,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":201,"avg":12646847.0,"max":120145678,"stddev":35851428.0,"var":1285324797902848.0,"ent":0.4,"data": [201,411,1564,151649,2891882,795,3043080,21210,212002,120145678,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.8,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502061905496,"flow_dst_last_pkt_time":1097501941569134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097502061905496,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":201,"avg":12646847.0,"max":120145678,"stddev":35851428.0,"var":1285324797902848.0,"ent":0.4,"data": [201,411,1564,151649,2891882,795,3043080,21210,212002,120145678]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.8,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00552{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":40,"packets-processed":39,"total-skipped-flows":0,"total-l4-payload-len":345,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1097502623045756}
 00742{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097502623045756,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="}
 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502623046134,"flow_dst_last_pkt_time":1097502623047417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097502623047417,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01634{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":71,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648521527,"flow_dst_last_pkt_time":1097502648521681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097502648521681,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":174,"avg":5095169.5,"max":17487311,"stddev":6400487.0,"var":40966232735744.0,"ent":2.2,"data": [174,378,1487,181225,17203302,17487311,4814054,4907006,3276812,3079947,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":64.8,"max":78,"stddev":7.1,"var":50.0,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01590{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":71,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648521527,"flow_dst_last_pkt_time":1097502648521681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097502648521681,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":174,"avg":5095169.5,"max":17487311,"stddev":6400487.0,"var":40966232735744.0,"ent":2.2,"data": [174,378,1487,181225,17203302,17487311,4814054,4907006,3276812,3079947]},"pktlen": {"min":60,"avg":64.8,"max":78,"stddev":7.1,"var":50.0,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00553{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":79,"packets-processed":78,"total-skipped-flows":0,"total-l4-payload-len":540,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1097504102255746}
 00742{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097504102255746,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097504102255746,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTjtAAIAGmIIKAAAICgAAAwsMTiCPBdusAAAAAHAC\/\/+rNgAAAgQFtAEBBAI="}
@@ -20,7 +20,7 @@
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097504102255746,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTjtAAIAGmIIKAAAICgAAAwsMTiCPBdusAAAAAHAC\/\/+rNgAAAgQFtAEBBAI="}
 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":88,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504102256118,"flow_dst_last_pkt_time":1097504102257400,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097504102257400,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00897{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":18,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648678187,"flow_dst_last_pkt_time":1097502648677871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097504103602860,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01629{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504186592304,"flow_dst_last_pkt_time":1097504103409070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097504186592304,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":167,"avg":8548988.0,"max":82989444,"stddev":24816838.0,"var":615875493232640.0,"ent":0.2,"data": [167,372,1487,144969,996855,774,1141407,10263,204144,82989444,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.8,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504186592304,"flow_dst_last_pkt_time":1097504103409070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097504186592304,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":167,"avg":8548988.0,"max":82989444,"stddev":24816838.0,"var":615875493232640.0,"ent":0.2,"data": [167,372,1487,144969,996855,774,1141407,10263,204144,82989444]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.8,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":217,"packets-processed":216,"total-skipped-flows":0,"total-l4-payload-len":3957,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":3,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1097505644006837}
 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097505644006837,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097505644006837,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAVNAAIAG5WkKAAAJCgAAAwQ4TiAZahgcAAAAAHAC\/\/\/rNQAAAgQFtAEBBAI="}
@@ -28,14 +28,14 @@
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":219,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097505644006837,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAVNAAIAG5WkKAAAJCgAAAwQ4TiAZahgcAAAAAHAC\/\/\/rNQAAAgQFtAEBBAI="}
 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":226,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":15,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502062040142,"flow_dst_last_pkt_time":1097502061912093,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097505644007259,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":3,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505719035890,"flow_dst_last_pkt_time":1097505644007009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":15,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":15,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097505719035890,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01633{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":248,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505754575976,"flow_dst_last_pkt_time":1097505754654239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":205,"midstream":0,"thread_ts_usec":1097505754654239,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":22121654.0,"max":75076356,"stddev":29809640.0,"var":888614640680960.0,"ent":1.9,"data": [172,422,75028631,75076356,533,48219,553,153041,35338826,35569788,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":66.7,"max":77,"stddev":5.9,"var":34.5,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,69,69,69,71,71,71,71,71,71,60,60,60,77,77,77,60,60,60,72,72,72,71,71]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":248,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505754575976,"flow_dst_last_pkt_time":1097505754654239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":205,"midstream":0,"thread_ts_usec":1097505754654239,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":22121654.0,"max":75076356,"stddev":29809640.0,"var":888614640680960.0,"ent":1.9,"data": [172,422,75028631,75076356,533,48219,553,153041,35338826,35569788]},"pktlen": {"min":60,"avg":66.7,"max":77,"stddev":5.9,"var":34.5,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,69,69,69,71,71,71,71,71,71,60,60,60,77,77,77,60,60,60,72,72,72,71,71]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":352,"packets-processed":351,"total-skipped-flows":0,"total-l4-payload-len":5682,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":4,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":32,"global_ts_usec":1097507785883614}
 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097507785883614,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="}
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":353,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="}
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":354,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="}
 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":361,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507785883944,"flow_dst_last_pkt_time":1097507785885063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097507785885063,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01620{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507788771853,"flow_dst_last_pkt_time":1097507788624309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097507788771853,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":562893.4,"max":2639445,"stddev":999852.8,"var":999705673728.0,"ent":1.5,"data": [139,330,1310,168563,2471106,796,2639445,99801,232167,15277,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.1,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,78,78,78,60,60,60,71,71,71,60,60,60,79,79]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01576{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507788771853,"flow_dst_last_pkt_time":1097507788624309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097507788771853,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":562893.4,"max":2639445,"stddev":999852.8,"var":999705673728.0,"ent":1.5,"data": [139,330,1310,168563,2471106,796,2639445,99801,232167,15277]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.1,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,78,78,78,60,60,60,71,71,71,60,60,60,79,79]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":427,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":60,"flow_dst_packets_processed":78,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504224083555,"flow_dst_last_pkt_time":1097504223905294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":91,"flow_src_tot_l4_payload_len":687,"flow_dst_tot_l4_payload_len":2730,"midstream":0,"thread_ts_usec":1097507789958377,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":445,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":445,"packets-processed":444,"total-skipped-flows":0,"total-l4-payload-len":7101,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":5,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1097510947092701}
 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":445,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097510947092701,"flow_src_last_pkt_time":1097510947092701,"flow_dst_last_pkt_time":1097510947092701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097510947092701,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1159,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -52,14 +52,14 @@
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":474,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1097512255234470,"flow_dst_last_pkt_time":1097512255234470,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097512255234470,"pkt":"AAKzznBRAFAEk3BnCABFAAAwBpNAAIAG4CoKAAAICgAAAwSgTiANrtDCAAAAAHAC\/\/895AAAAgQFtAEBBAI="}
 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":481,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512255234830,"flow_dst_last_pkt_time":1097512255236054,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097512255236054,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":496,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":57,"flow_dst_packets_processed":36,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507856257809,"flow_dst_last_pkt_time":1097507856091024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":93,"flow_src_tot_l4_payload_len":645,"flow_dst_tot_l4_payload_len":774,"midstream":0,"thread_ts_usec":1097512264841740,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01631{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097512267645965,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":157,"avg":2471499.5,"max":9487840,"stddev":3592256.2,"var":12904304738304.0,"ent":1.9,"data": [157,360,1427,192830,9226978,9487840,187102,2636386,2814075,167839,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":66.8,"max":78,"stddev":7.0,"var":48.7,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,71,71,71,60,60,60,78,78,78,71,71,71,60,60]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097512267645965,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":157,"avg":2471499.5,"max":9487840,"stddev":3592256.2,"var":12904304738304.0,"ent":1.9,"data": [157,360,1427,192830,9226978,9487840,187102,2636386,2814075,167839]},"pktlen": {"min":60,"avg":66.8,"max":78,"stddev":7.0,"var":48.7,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,71,71,71,60,60,60,78,78,78,71,71,71,60,60]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":505,"packets-processed":504,"total-skipped-flows":0,"total-l4-payload-len":7593,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":0,"total-updates":1,"current-active-flows":2,"total-active-flows":7,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":56,"global_ts_usec":1097513177295531}
 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097513177295531,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":506,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":507,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="}
 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":514,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513177295941,"flow_dst_last_pkt_time":1097513177297272,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097513177297272,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01631{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":536,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185001370,"flow_dst_last_pkt_time":1097513185001533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185001533,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":1541184.1,"max":3963212,"stddev":1422434.8,"var":2023320715264.0,"ent":2.5,"data": [199,410,1542,125290,3672101,3963212,1744251,1702440,2163787,2038609,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":64.8,"max":78,"stddev":7.1,"var":50.0,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":536,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185001370,"flow_dst_last_pkt_time":1097513185001533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185001533,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":1541184.1,"max":3963212,"stddev":1422434.8,"var":2023320715264.0,"ent":2.5,"data": [199,410,1542,125290,3672101,3963212,1744251,1702440,2163787,2038609]},"pktlen": {"min":60,"avg":64.8,"max":78,"stddev":7.1,"var":50.0,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00897{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":18,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185107737,"flow_dst_last_pkt_time":1097513185107430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00898{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":12,"flow_first_seen":1097510947092701,"flow_src_last_pkt_time":1097510959359091,"flow_dst_last_pkt_time":1097510959487180,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1159,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
@@ -72,10 +72,10 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6063236 bytes
-~~ total memory freed........: 6063236 bytes
+~~ total memory allocated....: 6063204 bytes
+~~ total memory freed........: 6063204 bytes
 ~~ total allocations/frees...: 122116/122116
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1639 chars
-~~ json string avg len.......: 1064 chars
+~~ json string max len.......: 1595 chars
+~~ json string avg len.......: 1042 chars
diff --git a/test/results/dns-invalid-chars.pcap.out b/test/results/dns-invalid-chars.pcap.out
index 44c61178f..9a6907b42 100644
--- a/test/results/dns-invalid-chars.pcap.out
+++ b/test/results/dns-invalid-chars.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035703 bytes
-~~ total memory freed........: 6035703 bytes
+~~ total memory allocated....: 6035699 bytes
+~~ total memory freed........: 6035699 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 502 chars
diff --git a/test/results/dns-tunnel-iodine.pcap.out b/test/results/dns-tunnel-iodine.pcap.out
index 7f41f1b4f..1f6bb7ba3 100644
--- a/test/results/dns-tunnel-iodine.pcap.out
+++ b/test/results/dns-tunnel-iodine.pcap.out
@@ -6,7 +6,7 @@
 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1282356640051082,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1282356640051175,"pkt":"CAAnnOC0CAAnx266CABFAABZAABAAEARImMKAAIUCgACHgA1rl8ARRoeErCEAAABAAEAAAAAC3ZhYWFha2FyZGxpBnBpcmF0ZQNzZWEAAAoAAcAMAAoAAQAAAAAACVZBQ0tEA8XpAQ=="}
 01140{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356640051082,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":61,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":61,"midstream":0,"thread_ts_usec":1282356640051175,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"vaaaakardli.pirate.sea","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":10,"rsp_type":10,"rsp_addr":"0.0.0.0"}}}
 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1282356640051979,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1282356640051979,"pkt":"CAAnx266CAAnnOC0CABFAABZAABAAEARImMKAAIeCgACFK5fADUARcobMN8BAAABAAAAAAAAIGxhZWdwdW1pcGxoaHB6MTJ5bmQxZWZsandsa2pjZ3d5BnBpcmF0ZQNzZWEAAAoAAQ=="}
-01835{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356645071860,"flow_dst_last_pkt_time":1282356640060900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1434,"flow_src_tot_l4_payload_len":2968,"flow_dst_tot_l4_payload_len":3580,"midstream":0,"thread_ts_usec":1282356645071860,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":93,"avg":162277.3,"max":1002966,"stddev":368318.9,"var":135658823680.0,"ent":2.4,"data": [93,897,1083,5795,5715,411,342,245,227,219,217,216,215,213,212,209,230,282,586,445,177,314,494,447,227,245,1001664,1002291,1001465,1002966,1002454,0]},"pktlen": {"min":82,"avg":246.6,"max":1476,"stddev":286.6,"var":82112.7,"ent":4.4,"data": [82,103,103,144,88,137,123,166,132,184,138,196,118,156,134,188,88,96,88,95,88,93,323,1092,323,1476,323,323,323,323,323,323]},"bins": {"c_to_s": [0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356645071860,"flow_dst_last_pkt_time":1282356640060900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1434,"flow_src_tot_l4_payload_len":2968,"flow_dst_tot_l4_payload_len":3580,"midstream":0,"thread_ts_usec":1282356645071860,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":93,"avg":162277.3,"max":1002966,"stddev":368318.9,"var":135658823680.0,"ent":2.4,"data": [93,897,1083,5795,5715,411,342,245,227,219,217,216,215,213,212,209,230,282,586,445,177,314,494,447,227,245,1001664,1002291,1001465,1002966,1002454]},"pktlen": {"min":82,"avg":246.6,"max":1476,"stddev":286.6,"var":82112.7,"ent":4.4,"data": [82,103,103,144,88,137,123,166,132,184,138,196,118,156,134,188,88,96,88,95,88,93,323,1092,323,1476,323,323,323,323,323,323]},"bins": {"c_to_s": [0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01043{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":438,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":222,"flow_dst_packets_processed":212,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356664538177,"flow_dst_last_pkt_time":1282356664538369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1470,"flow_src_tot_l4_payload_len":16812,"flow_dst_tot_l4_payload_len":35212,"midstream":0,"thread_ts_usec":1282356664538369,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00573{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":438,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","packets-captured":438,"packets-processed":434,"total-skipped-flows":0,"total-l4-payload-len":52024,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1282356664538369}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6048256 bytes
-~~ total memory freed........: 6048256 bytes
+~~ total memory allocated....: 6048252 bytes
+~~ total memory freed........: 6048252 bytes
 ~~ total allocations/frees...: 121922/121922
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 502 chars
-~~ json string max len.......: 1840 chars
+~~ json string max len.......: 1838 chars
 ~~ json string avg len.......: 1123 chars
diff --git a/test/results/dns_ambiguous_names.pcap.out b/test/results/dns_ambiguous_names.pcap.out
index 6f3c270de..2c662e849 100644
--- a/test/results/dns_ambiguous_names.pcap.out
+++ b/test/results/dns_ambiguous_names.pcap.out
@@ -69,8 +69,8 @@
 ~~ total active/idle flows...: 10/10
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6050894 bytes
-~~ total memory freed........: 6050894 bytes
+~~ total memory allocated....: 6050854 bytes
+~~ total memory freed........: 6050854 bytes
 ~~ total allocations/frees...: 121598/121598
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/dns_doh.pcap.out b/test/results/dns_doh.pcap.out
index 1c25afbe8..9fdbad42a 100644
--- a/test/results/dns_doh.pcap.out
+++ b/test/results/dns_doh.pcap.out
@@ -6,7 +6,7 @@
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1571089200876498,"flow_dst_last_pkt_time":1571089200876406,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1571089200876498,"pkt":"WkBO7NFkeDHBvV4kCABFAAAoAABAAEAGI66sFAoEaBD4+cLVAbuk7FgjymHcL1AQEAAggAAA"}
 01118{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089200878306,"flow_dst_last_pkt_time":1571089200876406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1571089200878306,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01163{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089200878306,"flow_dst_last_pkt_time":1571089200968629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1571089200968629,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.3","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089201723583,"flow_dst_last_pkt_time":1571089201764372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":1424,"flow_dst_tot_l4_payload_len":4202,"midstream":0,"thread_ts_usec":1571089201764372,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":63645.8,"max":535341,"stddev":131829.5,"var":17379012608.0,"ent":3.0,"data": [87116,87208,1808,92218,5,2,90426,511,1485,930,26074,858,110,91,102733,7825,6,1,83431,1,17900,147557,535341,708,88830,66,525420,6,10702,6,0,0]},"pktlen": {"min":54,"avg":230.9,"max":1354,"stddev":327.3,"var":107137.2,"ent":4.1,"data": [78,66,54,571,54,1354,1354,54,54,503,54,118,224,297,133,54,591,404,85,54,54,54,85,54,116,147,116,157,54,54,258,85]},"bins": {"c_to_s": [9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
+01689{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089201723583,"flow_dst_last_pkt_time":1571089201764372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":1424,"flow_dst_tot_l4_payload_len":4202,"midstream":0,"thread_ts_usec":1571089201764372,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":63645.8,"max":535341,"stddev":131829.5,"var":17379012608.0,"ent":3.0,"data": [87116,87208,1808,92218,5,2,90426,511,1485,930,26074,858,110,91,102733,7825,6,1,83431,1,17900,147557,535341,708,88830,66,525420,6,10702,6]},"pktlen": {"min":54,"avg":230.9,"max":1354,"stddev":327.3,"var":107137.2,"ent":4.1,"data": [78,66,54,571,54,1354,1354,54,54,503,54,118,224,297,133,54,591,404,85,54,54,54,85,54,116,147,116,157,54,54,258,85]},"bins": {"c_to_s": [9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":86,"flow_dst_packets_processed":56,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089204031014,"flow_dst_last_pkt_time":1571089204030791,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":3792,"flow_dst_tot_l4_payload_len":8866,"midstream":0,"thread_ts_usec":1571089204031014,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","packets-captured":142,"packets-processed":142,"total-skipped-flows":0,"total-l4-payload-len":12658,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1571089204031014}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049286 bytes
-~~ total memory freed........: 6049286 bytes
+~~ total memory allocated....: 6049282 bytes
+~~ total memory freed........: 6049282 bytes
 ~~ total allocations/frees...: 121635/121635
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1698 chars
-~~ json string avg len.......: 1054 chars
+~~ json string max len.......: 1694 chars
+~~ json string avg len.......: 1052 chars
diff --git a/test/results/dns_dot.pcap.out b/test/results/dns_dot.pcap.out
index ee294bb51..0fa4cd2a9 100644
--- a/test/results/dns_dot.pcap.out
+++ b/test/results/dns_dot.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6044675 bytes
-~~ total memory freed........: 6044675 bytes
+~~ total memory allocated....: 6044671 bytes
+~~ total memory freed........: 6044671 bytes
 ~~ total allocations/frees...: 121529/121529
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/dns_exfiltration.pcap.out b/test/results/dns_exfiltration.pcap.out
index 3053b44dd..0b481905a 100644
--- a/test/results/dns_exfiltration.pcap.out
+++ b/test/results/dns_exfiltration.pcap.out
@@ -6,7 +6,7 @@
 00963{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1580978146717893,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":386,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":386,"pkt_l4_len":352,"thread_ts_usec":1580978146888524,"pkt":"jNzURr7Eqqru7hERCABFAAF0PC1AAD8R1RrAqMunwKjcOAA13DUBYD3xOR2BgAABAAEAAAAABmRuc2NhdDw1NDZiMDNmNTAwMDAwMDAwMDBhNjAyM2VkNGRmMTg0ZDZhYzVjMjYyOGI0NzcxNGZkZWU1ODRmZWQ3Mzk8NWEwM2I1YjFlMWFhOGY4ZmRiMWJiZThkNWUwNDk1MjE0MWY3ZDRmODJjN2UzYjA2ZGNjOGI4N2ZhZDdhGjE5ZTRkMDk4ZGM4YzYxOGY4ZDgxY2ZlYjAyAAAPAAHADAAPAAEAAAA8AJ8ACgZkbnNjYXQ\/MjAxZjAzZjUwMDAwMDAwMDAwNzEzYjkyNzFmMDExZGM3NjQyM2RhYjM5MmMzMmMxOGJmYzk2YjZkMjY5NWEyPzZhOTExYzk0NDcyZjU5NDA5YTVmNTI2MDEzZTc2MDE5MzY2YTA3NzkyOWUzNDgwZmJlNmQ3YzRlZGE2ZjkwOBRmMmJjOTlhNjAxZTFhODIyMTMzNgA="}
 01325{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978146717893,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":173,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":173,"flow_dst_tot_l4_payload_len":344,"midstream":0,"thread_ts_usec":1580978146888524,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}}}
 00670{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1580978147753419,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"thread_ts_usec":1580978147753419,"pkt":"qqru7hERjNzURr7ECABFAACYekZAAD8RAADAqNw4wKjLp9w1ADUAhCnHfRoBAAABAAAAAAAABmRuc2NhdDw5MWYwMDNmNTAwZjYxMjIxODEwYWVhMDAwMDA0ODYzYzY5MTU4MGVjYWQ2NmY2NGFjN2RkYjg3Yjg5YzcmOTIwMDgyMWU1MjdkNGUxNzYzMjUzYzI1ZTI5N2UyYWE0MTEzZDAAAAUAAQ=="}
-02058{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978160880828,"flow_dst_last_pkt_time":1580978160882236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":1158,"flow_dst_tot_l4_payload_len":2183,"midstream":0,"thread_ts_usec":1580978160882236,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3976,"avg":913783.2,"max":1035526,"stddev":281798.4,"var":79410348032.0,"ent":4.8,"data": [170631,1035526,866477,1015270,1015599,4647,3976,1009971,1010376,1009201,1009121,1008475,1008435,1009499,1009380,1008042,1008120,1008655,1008570,1009773,1009797,1009990,1010112,1008960,1008939,1008465,1008353,1007666,1007763,1008795,1008694,0]},"pktlen": {"min":101,"avg":146.4,"max":386,"stddev":59.1,"var":3497.9,"ent":4.9,"data": [215,386,166,286,136,193,101,148,101,148,101,156,101,148,101,158,101,158,101,156,101,148,101,158,101,158,101,158,101,148,101,148]},"bins": {"c_to_s": [0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+02056{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978160880828,"flow_dst_last_pkt_time":1580978160882236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":1158,"flow_dst_tot_l4_payload_len":2183,"midstream":0,"thread_ts_usec":1580978160882236,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3976,"avg":913783.2,"max":1035526,"stddev":281798.4,"var":79410348032.0,"ent":4.8,"data": [170631,1035526,866477,1015270,1015599,4647,3976,1009971,1010376,1009201,1009121,1008475,1008435,1009499,1009380,1008042,1008120,1008655,1008570,1009773,1009797,1009990,1010112,1008960,1008939,1008465,1008353,1007666,1007763,1008795,1008694]},"pktlen": {"min":101,"avg":146.4,"max":386,"stddev":59.1,"var":3497.9,"ent":4.9,"data": [215,386,166,286,136,193,101,148,101,148,101,156,101,148,101,158,101,158,101,156,101,148,101,158,101,158,101,158,101,148,101,148]},"bins": {"c_to_s": [0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01163{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":115,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":57,"flow_dst_packets_processed":57,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978196387731,"flow_dst_last_pkt_time":1580978196389199,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":4115,"flow_dst_tot_l4_payload_len":7851,"midstream":0,"thread_ts_usec":1580978196389199,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01165{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":300,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":150,"flow_dst_packets_processed":150,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978206706247,"flow_dst_last_pkt_time":1580978206707432,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":26119,"flow_dst_tot_l4_payload_len":34826,"midstream":0,"thread_ts_usec":1580978206707432,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00572{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":300,"source":"dns_exfiltration.pcap","alias":"nDPId-test","packets-captured":300,"packets-processed":300,"total-skipped-flows":0,"total-l4-payload-len":60945,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":1,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1580978206707432}
@@ -18,10 +18,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6044459 bytes
-~~ total memory freed........: 6044459 bytes
+~~ total memory allocated....: 6044455 bytes
+~~ total memory freed........: 6044455 bytes
 ~~ total allocations/frees...: 121789/121789
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
-~~ json string max len.......: 2063 chars
-~~ json string avg len.......: 1257 chars
+~~ json string max len.......: 2061 chars
+~~ json string avg len.......: 1256 chars
diff --git a/test/results/dns_fragmented.pcap.out b/test/results/dns_fragmented.pcap.out
index 1bf68f59d..23f68e08c 100644
--- a/test/results/dns_fragmented.pcap.out
+++ b/test/results/dns_fragmented.pcap.out
@@ -154,8 +154,8 @@
 ~~ total active/idle flows...: 21/21
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6070129 bytes
-~~ total memory freed........: 6070129 bytes
+~~ total memory allocated....: 6070045 bytes
+~~ total memory freed........: 6070045 bytes
 ~~ total allocations/frees...: 121756/121756
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 217 chars
diff --git a/test/results/dns_invert_query.pcapng.out b/test/results/dns_invert_query.pcapng.out
index 5abf9d233..68b0fbb16 100644
--- a/test/results/dns_invert_query.pcapng.out
+++ b/test/results/dns_invert_query.pcapng.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035675 bytes
-~~ total memory freed........: 6035675 bytes
+~~ total memory allocated....: 6035671 bytes
+~~ total memory freed........: 6035671 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 503 chars
diff --git a/test/results/dns_long_domainname.pcap.out b/test/results/dns_long_domainname.pcap.out
index ec837e56d..91eefe5a6 100644
--- a/test/results/dns_long_domainname.pcap.out
+++ b/test/results/dns_long_domainname.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035720 bytes
-~~ total memory freed........: 6035720 bytes
+~~ total memory allocated....: 6035716 bytes
+~~ total memory freed........: 6035716 bytes
 ~~ total allocations/frees...: 121490/121490
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/dnscrypt-v1-and-resolver-pings.pcap.out b/test/results/dnscrypt-v1-and-resolver-pings.pcap.out
index b4e2713be..41f1b1de8 100644
--- a/test/results/dnscrypt-v1-and-resolver-pings.pcap.out
+++ b/test/results/dnscrypt-v1-and-resolver-pings.pcap.out
@@ -1667,8 +1667,8 @@
 ~~ total active/idle flows...: 245/245
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6447029 bytes
-~~ total memory freed........: 6447029 bytes
+~~ total memory allocated....: 6446049 bytes
+~~ total memory freed........: 6446049 bytes
 ~~ total allocations/frees...: 124415/124415
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 231 chars
diff --git a/test/results/dnscrypt-v2-doh.pcap.out b/test/results/dnscrypt-v2-doh.pcap.out
index 74895bb6e..6d3f73622 100644
--- a/test/results/dnscrypt-v2-doh.pcap.out
+++ b/test/results/dnscrypt-v2-doh.pcap.out
@@ -249,8 +249,8 @@
 ~~ total active/idle flows...: 34/34
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6388448 bytes
-~~ total memory freed........: 6388448 bytes
+~~ total memory allocated....: 6388312 bytes
+~~ total memory freed........: 6388312 bytes
 ~~ total allocations/frees...: 122587/122587
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/dnscrypt-v2.pcap.out b/test/results/dnscrypt-v2.pcap.out
index eb26ea839..d85885a25 100644
--- a/test/results/dnscrypt-v2.pcap.out
+++ b/test/results/dnscrypt-v2.pcap.out
@@ -24,8 +24,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039075 bytes
-~~ total memory freed........: 6039075 bytes
+~~ total memory allocated....: 6039063 bytes
+~~ total memory freed........: 6039063 bytes
 ~~ total allocations/frees...: 121513/121513
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
diff --git a/test/results/dnscrypt_skype_false_positive.pcapng.out b/test/results/dnscrypt_skype_false_positive.pcapng.out
index a0d820085..551dddc35 100644
--- a/test/results/dnscrypt_skype_false_positive.pcapng.out
+++ b/test/results/dnscrypt_skype_false_positive.pcapng.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035819 bytes
-~~ total memory freed........: 6035819 bytes
+~~ total memory allocated....: 6035815 bytes
+~~ total memory freed........: 6035815 bytes
 ~~ total allocations/frees...: 121493/121493
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 516 chars
diff --git a/test/results/doq.pcapng.out b/test/results/doq.pcapng.out
index 851cb192e..18bfece81 100644
--- a/test/results/doq.pcapng.out
+++ b/test/results/doq.pcapng.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047987 bytes
-~~ total memory freed........: 6047987 bytes
+~~ total memory allocated....: 6047979 bytes
+~~ total memory freed........: 6047979 bytes
 ~~ total allocations/frees...: 121538/121538
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/doq_adguard.pcapng.out b/test/results/doq_adguard.pcapng.out
index 635ac41df..825c6ef92 100644
--- a/test/results/doq_adguard.pcapng.out
+++ b/test/results/doq_adguard.pcapng.out
@@ -5,7 +5,7 @@
 01103{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278425043144,"flow_dst_last_pkt_time":1608278425043144,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1608278425043144,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.adguard.com","quic": {"tls": {"version":"TLSv1.3","ja3":"1e022f87823477abd6a79c31d70062d7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"doq-i00","tls_supported_versions":"TLSv1.3"}}}}
 00689{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1608278425043144,"flow_dst_last_pkt_time":1608278425079621,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":182,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":182,"pkt_l4_len":148,"thread_ts_usec":1608278425079621,"pkt":"mt9Y+uvcCL6sCxduCABFAACoAbMAAD8RP6dejA4OwKgMqQMQoG4AlJ+l8P8AAB0RXf586nXFuX6jZU8LHDkLsXUEXOoexyg1M1\/+GZvbsGeGqJJILJUnaeRPlfaewSkJ0QM1kILJB9RkVGFQIKTOYfD\/amFvF5G2sUWGCAnPMQAxGtra+t44CL4uNVFuP1UAIYDjP5flgPs8Cfp53+s66ugMjRy2XoqR7aApyqmdoc3EHdt+2Cg="}
 02173{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1608278425084825,"flow_dst_last_pkt_time":1608278425079621,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1274,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1274,"pkt_l4_len":1240,"thread_ts_usec":1608278425084825,"pkt":"CL6sCxdumt9Y+uvcCABFAATsXYtAAEARnorAqAypXowODqBuAxAE2FXxz\/8AAB0EXOoexxFd\/nzqdcW5fqNlTwscOQuxdUBgKDUzX\/4Zm9uwZ4aokkgslSdp5E+V9p7BKQnRAzWQgskH1GRUYVAgpM5h8P9qYW8XkbaxRYYICc8xADEa2tr63jgIvi41UW4\/VQAhgOM\/l+WA+zwJ+nnf6zrq6AyNHLZeRFASnCr8obwp9Ty5sR7kprQnC0Sv2ZcsxYzIMAthEKqYU0zMuGSEznU2JvTrq\/bykaeb5dqdGxdiszDYKDU6Jn7sPAcjUZ2gh8+BYZGe9phFiloXFkZRqkF4syIAEkOpcy2MK\/fkeUIOyP6wlwkzaY3fbmuxHrqRyLu45SBR1VMQFyHi28JYz7QmMQfDMqnuI0IWIuFKHwG0T\/v0jhF19jPBzG3JSCrPoiaSUV9rQI1kZsCKoMrGjumM68QAfolXONsAd2IYudReWz3mQrB3zOSDXc7+iPJJwc0+KS52obxIkJ0I8SZ7CLjp+FpGH++2YepZGSZYPB5rc\/4HU1bQ4ocmPERQ5l+FpQxpj4cq2AJTX05VWg9LfjDFrHE6D6oMOTTfheRhy7X3SqhzfVhy\/w3RXnv00qwNGkVr8QIR+wCM95sfw88fV3+NqmU3vnLU2z+qvvT2HlvRQm9ykjYa60lgB9sFJ5Ng9ge\/cpn16AR4r\/NoOup4fo8EeFB8cFrAVg+3WG3mgWxUdvK6oND07fFN48QrriL1y7XuIB3Fa65jgY5B4zE7vkkBXKUfGormP9hug8dHVr44WkbHCTqfFJuTHKIf9gtfJ9VQps1jhQjM952WGdM\/mFbut40pSDwrgQgdt0stO2C4PvDiwgzZaEybJzcZBHCUgM8reKIoRyLrSsWciN2b3tsFQXXaEeEGdt8Bc\/5zyh11uwNSzGQ\/Fl2k7QrJleMEWlDCFHuNFZdb7JDVOvqjlXAHTTHX0xSx0KU4aqrg\/kZVORXUFVlv\/xu8mW\/pGVbnSUQNAvLvkvHNdnu1ZPxtBzMoqU+96Xp\/DxrznNbYv32YFRLbK8kA8U4FaZhJ3oS+5KFBikdLEV9Hai2hbk8GZjN2iqviHrHccJqNkg3SIuZD5qamhaUaMG9NOa5pQ9jLJU\/ymgo7DdgKxRH8uuDjWk10CemOYV7pIj9XJEg0HHMmlI1Un6aDxtAu5UK1qm1HNb38yVa+sYeN5Ew6KHyqBUxxS4IflHX5qeqIZPOKrYg5MCubhSudLKbjcH5sXIzejKF8iZ0FlTKPdHSExxjW0QFN6bAWoLJuZE\/4kDcgHKTjdquB1S9wjg6Pah9A0AO1p8+A56ZYLVjRHdUF0Eo6bHTdn4hIgHvxPjCmO5BtWUKEeQnKGkkR8kgREjXo6GfEeHC4Vb4SCK88RJFW07bR+3U68E0sOKimZElroA+KMcE32OqnpsNULoyV7BunASAegp78gVNI0Bil4Klffm6tM6xnJr7Wx08jSGi+pGYWmiGnj3zfHIxpQuw4bIpm3S\/lud8tMnqwiD6\/bIUKO1SxVSWZBp6s2PlGyGHrgwwdIy5nXoip9OukmbhVHpu5a+3BERo9ToRhkKbGsS5gAuyL08\/F6VvMQD\/JdB+\/2rkXCT7ca7Lr49P5aV+w66D8Iwyn8BcCGyOLiGucN4S\/JjMhOeFgH9mu48hQ78o="}
-01737{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278427520204,"flow_dst_last_pkt_time":1608278427556259,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3388,"flow_dst_tot_l4_payload_len":9887,"midstream":0,"thread_ts_usec":1608278427556259,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":160973.4,"max":1885270,"stddev":453072.4,"var":205274628096.0,"ent":2.4,"data": [36477,41681,43201,66,19,41861,6662,38406,6603,58707,16,206479,12,419140,55,727,29151,153173,67,8229,73,10468,39556,83,37026,44980,51489,1830423,63,12,1885270,0]},"pktlen": {"min":73,"avg":456.8,"max":1294,"stddev":522.9,"var":273444.5,"ent":4.1,"data": [1274,182,1274,1294,1294,1284,97,98,198,95,1284,1284,1284,1284,269,73,97,98,83,306,154,100,73,83,437,73,84,73,101,103,103,83]},"bins": {"c_to_s": [4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
+01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278427520204,"flow_dst_last_pkt_time":1608278427556259,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3388,"flow_dst_tot_l4_payload_len":9887,"midstream":0,"thread_ts_usec":1608278427556259,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":160973.4,"max":1885270,"stddev":453072.4,"var":205274628096.0,"ent":2.4,"data": [36477,41681,43201,66,19,41861,6662,38406,6603,58707,16,206479,12,419140,55,727,29151,153173,67,8229,73,10468,39556,83,37026,44980,51489,1830423,63,12,1885270]},"pktlen": {"min":73,"avg":456.8,"max":1294,"stddev":522.9,"var":273444.5,"ent":4.1,"data": [1274,182,1274,1294,1294,1284,97,98,198,95,1284,1284,1284,1284,269,73,97,98,83,306,154,100,73,83,437,73,84,73,101,103,103,83]},"bins": {"c_to_s": [4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":296,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":164,"flow_dst_packets_processed":132,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278463119538,"flow_dst_last_pkt_time":1608278462796456,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":30,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":10308,"flow_dst_tot_l4_payload_len":21705,"midstream":0,"thread_ts_usec":1608278463119538,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00569{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":296,"source":"doq_adguard.pcapng","alias":"nDPId-test","packets-captured":296,"packets-processed":296,"total-skipped-flows":0,"total-l4-payload-len":32013,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1608278463119538}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6054299 bytes
-~~ total memory freed........: 6054299 bytes
+~~ total memory allocated....: 6054295 bytes
+~~ total memory freed........: 6054295 bytes
 ~~ total allocations/frees...: 121804/121804
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/dos_win98_smb_netbeui.pcap.out b/test/results/dos_win98_smb_netbeui.pcap.out
index 52d15d29f..567e24a69 100644
--- a/test/results/dos_win98_smb_netbeui.pcap.out
+++ b/test/results/dos_win98_smb_netbeui.pcap.out
@@ -342,7 +342,7 @@
 00371{"packet_event_id":1,"packet_event_name":"packet","packet_id":213,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":61,"pkt_type":47,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":61,"pkt_l4_len":0,"thread_ts_usec":1576409925057831,"pkt":"AwAAAAABAFBWM3ieAC\/w8AMsAP\/vAQAAAAAAGQBXT1JLR1JPVVAgICAgICAeTUFSVElOIFJPU0VOQVUgAw=="}
 00200{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":214,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","layer_type":47,"global_ts_usec":1576409926307736}
 00371{"packet_event_id":1,"packet_event_name":"packet","packet_id":214,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":61,"pkt_type":47,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":61,"pkt_l4_len":0,"thread_ts_usec":1576409925057831,"pkt":"AwAAAAABAFBWM3ieAC\/w8AMsAP\/vAQAAAAAAGQAAAAAAAAAAAAAAAAAAAAAATUFSVElOIFJPU0VOQVUgAw=="}
-01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":4235280.5,"max":96434388,"stddev":17261798.0,"var":297969697947648.0,"ent":1.5,"data": [471,72,38984,710235,79,43,39467,709823,84,47,40333,710082,133,63,40024,760697,749893,749148,750102,96434388,763919,759984,756024,755162,752213,756593,760022,22000853,749883,749867,755005,0]},"pktlen": {"min":110,"avg":110.0,"max":110,"stddev":0.0,"var":0.0,"ent":5.0,"data": [110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110]},"bins": {"c_to_s": [0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":4235280.5,"max":96434388,"stddev":17261798.0,"var":297969697947648.0,"ent":1.5,"data": [471,72,38984,710235,79,43,39467,709823,84,47,40333,710082,133,63,40024,760697,749893,749148,750102,96434388,763919,759984,756024,755162,752213,756593,760022,22000853,749883,749867,755005]},"pktlen": {"min":110,"avg":110.0,"max":110,"stddev":0.0,"var":0.0,"ent":5.0,"data": [110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110]},"bins": {"c_to_s": [0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00880{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1576409798047534,"flow_src_last_pkt_time":1576409798047534,"flow_dst_last_pkt_time":1576409798047534,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"224.0.0.2","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00920{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":0,"flow_first_seen":1576409797553896,"flow_src_last_pkt_time":1576409928060524,"flow_dst_last_pkt_time":1576409797553896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":952,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.2","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
@@ -356,8 +356,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042243 bytes
-~~ total memory freed........: 6042243 bytes
+~~ total memory allocated....: 6042227 bytes
+~~ total memory freed........: 6042227 bytes
 ~~ total allocations/frees...: 121576/121576
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 203 chars
diff --git a/test/results/drda_db2.pcap.out b/test/results/drda_db2.pcap.out
index 68e0ede71..84b60d676 100644
--- a/test/results/drda_db2.pcap.out
+++ b/test/results/drda_db2.pcap.out
@@ -5,7 +5,7 @@
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1175543772220609,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1175543772221098,"pkt":"AFBWwAABAAwpfMZqCABFAAAwAABAAEAG5PXAqGqAwKhqAcNQEu\/9XlZHCrRnsXASFtB6IQAAAgQFtAEBBAI="}
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1175543772221136,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1175543772221136,"pkt":"AAwpfMZqAFBWwAABCABFAAAoIqFAAIAGglzAqGoBwKhqgBLvw1AKtGex\/V5WSFAQ\/\/+9tQAA"}
 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543772338468,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":175,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":175,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1175543772338468,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
-01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543792690997,"flow_dst_last_pkt_time":1175543792523346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2071,"flow_dst_tot_l4_payload_len":2488,"midstream":0,"thread_ts_usec":1175543792690997,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":489,"avg":1315262.1,"max":17986057,"stddev":4366159.0,"var":19063346561024.0,"ent":1.8,"data": [489,527,117332,117692,728,9146,43443,966142,1129664,349281,477633,7546,71563,64394,182669,413229,622408,30275,5528,2591,521,1606,2014,1552,1127,154254,17828332,17986057,9928,7015,168439,0]},"pktlen": {"min":54,"avg":197.0,"max":717,"stddev":190.6,"var":36335.2,"ent":4.4,"data": [62,62,54,229,54,161,318,54,295,54,717,54,524,64,108,54,296,684,144,65,64,108,322,455,64,108,54,383,466,64,108,54]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
+01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543792690997,"flow_dst_last_pkt_time":1175543792523346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2071,"flow_dst_tot_l4_payload_len":2488,"midstream":0,"thread_ts_usec":1175543792690997,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":489,"avg":1315262.1,"max":17986057,"stddev":4366159.0,"var":19063346561024.0,"ent":1.8,"data": [489,527,117332,117692,728,9146,43443,966142,1129664,349281,477633,7546,71563,64394,182669,413229,622408,30275,5528,2591,521,1606,2014,1552,1127,154254,17828332,17986057,9928,7015,168439]},"pktlen": {"min":54,"avg":197.0,"max":717,"stddev":190.6,"var":36335.2,"ent":4.4,"data": [62,62,54,229,54,161,318,54,295,54,717,54,524,64,108,54,296,684,144,65,64,108,322,455,64,108,54,383,466,64,108,54]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":38,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":18,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543810683631,"flow_dst_last_pkt_time":1175543810683601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2081,"flow_dst_tot_l4_payload_len":2542,"midstream":0,"thread_ts_usec":1175543810683631,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}}
 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":38,"source":"drda_db2.pcap","alias":"nDPId-test","packets-captured":38,"packets-processed":38,"total-skipped-flows":0,"total-l4-payload-len":4623,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1175543810683631}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038795 bytes
-~~ total memory freed........: 6038795 bytes
+~~ total memory allocated....: 6038791 bytes
+~~ total memory freed........: 6038791 bytes
 ~~ total allocations/frees...: 121526/121526
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 1756 chars
-~~ json string avg len.......: 1064 chars
+~~ json string max len.......: 1754 chars
+~~ json string avg len.......: 1063 chars
diff --git a/test/results/dropbox.pcap.out b/test/results/dropbox.pcap.out
index 0033bc3f0..f9cc06e98 100644
--- a/test/results/dropbox.pcap.out
+++ b/test/results/dropbox.pcap.out
@@ -10,20 +10,20 @@
 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1455907272858898,"pkt":"CAAnAERyCAAnmO\/hCABFAAAuXhFAAEAR6vbAqDhlwKg4AURcxI4AGvHiYkQdqQeYiy9yL0J1czE3Q21k"}
 00629{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1455907272969405,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907272969405,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/EYMAAIARNzTAqDgBwKg4ZcSORFwAa8WlRgMdqhF5z0YYRXJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxMyBFRVQgMjAxNiJ9"}
-01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114,0]},"pktlen": {"min":59,"avg":99.6,"max":143,"stddev":38.6,"var":1486.7,"ent":4.9,"data": [138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114]},"pktlen": {"min":59,"avg":99.6,"max":143,"stddev":38.6,"var":1486.7,"ent":4.9,"data": [138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00628{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1455907274088318,"pkt":"CAAnmO\/hCAAnAERyCABFAAB9EncAAIARNkLAqDgBwKg4ZcSIRFwAaR7GRANSj9XGl0FyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTQgRUVUIDIwMTYifQ=="}
 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1455907274089637,"pkt":"CAAnAERyCAAnmO\/hCABFAAAwXqNAAEAR6mLAqDhlwKg4AURcxIgAHPHkZERSj9XGl0GLL3IvQnVzMTdDbWQ="}
 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1455907274193327,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"thread_ts_usec":1455907274193327,"pkt":"CAAnmO\/hCAAnAERyCABFAACBEpIAAIARNiPAqDgBwKg4ZcSIRFwAbeMnSANSkLugNTWCkTE2ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjE0IEVFVCAyMDE2In0="}
-01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708,0]},"pktlen": {"min":60,"avg":100.5,"max":142,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708]},"pktlen": {"min":60,"avg":100.5,"max":142,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907275690777,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/FCAAAIARNJfAqDgBwKg4ZcSPRFwAa2JLRgOAZtDWwMpn\/nJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxNSBFRVQgMjAxNiJ9"}
 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":154,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"thread_ts_usec":1455907275695868,"pkt":"CAAnAERyCAAnmO\/hCABFAAAyX35AAEAR6YXAqDhlwKg4AURcxI8AHvHmZkSAZtDWwMpn\/osvci9CdXMxN0NtZA=="}
 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1455907275831283,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1455907275831283,"pkt":"CAAnmO\/hCAAnAERyCABFAACAFEwAAIARNGrAqDgBwKg4ZcSPRFwAbLkURwOAZ6ExGoh1VzNyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTUgRUVUIDIwMTYifQ=="}
-01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537,0]},"pktlen": {"min":60,"avg":101.2,"max":143,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":276,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564,0]},"pktlen": {"min":59,"avg":101.1,"max":143,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537]},"pktlen": {"min":60,"avg":101.2,"max":143,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":276,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564]},"pktlen": {"min":59,"avg":101.1,"max":143,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","packets-captured":801,"packets-processed":800,"total-skipped-flows":0,"total-l4-payload-len":47076,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":27,"global_ts_usec":1459182796665502}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1459182796665502,"flow_src_last_pkt_time":1459182796665502,"flow_dst_last_pkt_time":1459182796665502,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1459182796665502,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.254","src_port":55407,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1459182796665502,"flow_dst_last_pkt_time":1459182796665502,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1459182796665502,"pkt":"8IQvSpdgeJKcD6iOCABFAABAOLtAAEARfTrAqAFpwKgB\/thvADUALFKSg5wBAAABAAAAAAAABmNsaWVudAdkcm9wYm94A2NvbQAAAQAB"}
@@ -115,10 +115,10 @@
 ~~ total active/idle flows...: 15/15
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6082861 bytes
-~~ total memory freed........: 6082861 bytes
+~~ total memory allocated....: 6082801 bytes
+~~ total memory freed........: 6082801 bytes
 ~~ total allocations/frees...: 122469/122469
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1771 chars
-~~ json string avg len.......: 1131 chars
+~~ json string max len.......: 1769 chars
+~~ json string avg len.......: 1130 chars
diff --git a/test/results/dtls.pcap.out b/test/results/dtls.pcap.out
index 7514c2e1f..aa878ed88 100644
--- a/test/results/dtls.pcap.out
+++ b/test/results/dtls.pcap.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035711 bytes
-~~ total memory freed........: 6035711 bytes
+~~ total memory allocated....: 6035707 bytes
+~~ total memory freed........: 6035707 bytes
 ~~ total allocations/frees...: 121490/121490
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/dtls2.pcap.out b/test/results/dtls2.pcap.out
index f0218fbc6..7944832d0 100644
--- a/test/results/dtls2.pcap.out
+++ b/test/results/dtls2.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036603 bytes
-~~ total memory freed........: 6036603 bytes
+~~ total memory allocated....: 6036599 bytes
+~~ total memory freed........: 6036599 bytes
 ~~ total allocations/frees...: 121521/121521
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/dtls_certificate.pcapng.out b/test/results/dtls_certificate.pcapng.out
index 57476f292..e4a27515e 100644
--- a/test/results/dtls_certificate.pcapng.out
+++ b/test/results/dtls_certificate.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6044127 bytes
-~~ total memory freed........: 6044127 bytes
+~~ total memory allocated....: 6044123 bytes
+~~ total memory freed........: 6044123 bytes
 ~~ total allocations/frees...: 121493/121493
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 503 chars
diff --git a/test/results/dtls_certificate_fragments.pcap.out b/test/results/dtls_certificate_fragments.pcap.out
index 8edb3fc7d..7729dc0c3 100644
--- a/test/results/dtls_certificate_fragments.pcap.out
+++ b/test/results/dtls_certificate_fragments.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036269 bytes
-~~ total memory freed........: 6036269 bytes
+~~ total memory allocated....: 6036265 bytes
+~~ total memory freed........: 6036265 bytes
 ~~ total allocations/frees...: 121509/121509
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 511 chars
diff --git a/test/results/dtls_mid_sessions.pcapng.out b/test/results/dtls_mid_sessions.pcapng.out
index a8d5d1524..50d803e8b 100644
--- a/test/results/dtls_mid_sessions.pcapng.out
+++ b/test/results/dtls_mid_sessions.pcapng.out
@@ -31,8 +31,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043168 bytes
-~~ total memory freed........: 6043168 bytes
+~~ total memory allocated....: 6043152 bytes
+~~ total memory freed........: 6043152 bytes
 ~~ total allocations/frees...: 121608/121608
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/dtls_old_version.pcapng.out b/test/results/dtls_old_version.pcapng.out
index f2b25d9e2..8ef4b584d 100644
--- a/test/results/dtls_old_version.pcapng.out
+++ b/test/results/dtls_old_version.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035895 bytes
-~~ total memory freed........: 6035895 bytes
+~~ total memory allocated....: 6035891 bytes
+~~ total memory freed........: 6035891 bytes
 ~~ total allocations/frees...: 121496/121496
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 503 chars
diff --git a/test/results/dtls_session_id_and_coockie_both.pcap.out b/test/results/dtls_session_id_and_coockie_both.pcap.out
index 5d53d1464..b966ec1fe 100644
--- a/test/results/dtls_session_id_and_coockie_both.pcap.out
+++ b/test/results/dtls_session_id_and_coockie_both.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035769 bytes
-~~ total memory freed........: 6035769 bytes
+~~ total memory allocated....: 6035765 bytes
+~~ total memory freed........: 6035765 bytes
 ~~ total allocations/frees...: 121492/121492
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 517 chars
diff --git a/test/results/emotet.pcap.out b/test/results/emotet.pcap.out
index 72eab48e8..c773b3742 100644
--- a/test/results/emotet.pcap.out
+++ b/test/results/emotet.pcap.out
@@ -5,14 +5,14 @@
 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1645830066121611,"flow_dst_last_pkt_time":1645830066871134,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1645830066871134,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsxzIAAIAGd+HB\/BZUCgIZZgJL392K6SffzSFkt2AS+vDaogAAAgQFtA=="}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1645830066871330,"flow_dst_last_pkt_time":1645830066871134,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1645830066871330,"pkt":"IOUqtpPxAAgCHEeuCABFAAAowBNAAIAGPwQKAhlmwfwWVN\/dAkvNIWS3iukn4FAQ+vDyXwAA"}
 00936{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830067978107,"flow_dst_last_pkt_time":1645830068348052,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":21,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":21,"flow_dst_tot_l4_payload_len":214,"midstream":0,"thread_ts_usec":1645830068348052,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"opmta1mto02nd1","smtp": {"user":"","password":"","auth_failed":0}}}
-01717{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830074471734,"flow_dst_last_pkt_time":1645830074471604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":698,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":898,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1645830074471734,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":254,"avg":538713.4,"max":3056402,"stddev":774055.0,"var":599161176064.0,"ent":3.7,"data": [749523,749719,1106307,1106777,773,369838,370621,895,325625,326244,506,323,737,841210,842439,907,363,438,3054676,3056402,1628,247201,247778,521,1205120,1205575,420,442964,443628,704,254,0]},"pktlen": {"min":54,"avg":94.8,"max":752,"stddev":121.9,"var":14849.5,"ent":4.5,"data": [66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752]},"bins": {"c_to_s": [8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}}
+01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830074471734,"flow_dst_last_pkt_time":1645830074471604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":698,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":898,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1645830074471734,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":254,"avg":538713.4,"max":3056402,"stddev":774055.0,"var":599161176064.0,"ent":3.7,"data": [749523,749719,1106307,1106777,773,369838,370621,895,325625,326244,506,323,737,841210,842439,907,363,438,3054676,3056402,1628,247201,247778,521,1205120,1205575,420,442964,443628,704,254]},"pktlen": {"min":54,"avg":94.8,"max":752,"stddev":121.9,"var":14849.5,"ent":4.5,"data": [66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752]},"bins": {"c_to_s": [8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":627,"packets-processed":626,"total-skipped-flows":0,"total-l4-payload-len":404645,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1648563468993352}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563468993352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648563468993352,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563468993352,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1648563468993352,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0EddAAIAG2c0KAx1laKF\/Ftv1AFBvd7IvAAAAAIAC+vBnEwAAAgQFtAEDAwgBAQQC"}
 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":628,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1648563469109116,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsoCoAAIAGi4JooX8WCgMdZQBQ2\/UuAEklb3eyMGAS+vAY8wAAAgQFtA=="}
 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":629,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1648563469109248,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1648563469109248,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoEdhAAIAG2dgKAx1laKF\/Ftv1AFBvd7IwLgBJJlAQ+vAwsAAA"}
 01142{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":630,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469109583,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648563469109583,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fkl.co.ke","http": {"url":"fkl.co.ke\/wp-content\/Elw3kPvOsZxM5\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.74 Safari\/537.36 Edg\/99.0.1150.55","detected_os":"Windows 10"}}}
-01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":658,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469442201,"flow_dst_last_pkt_time":1648563469442152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":24498,"midstream":0,"thread_ts_usec":1648563469442201,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":28956.4,"max":204389,"stddev":59845.4,"var":3581476608.0,"ent":2.7,"data": [115764,115896,335,518,204207,77,204389,352,224,565,217,228,441,212,496,705,246,220,470,115050,221,115302,340,251,573,9235,226,9483,474,242,690,0]},"pktlen": {"min":54,"avg":834.0,"max":1415,"stddev":663.1,"var":439751.8,"ent":4.4,"data": [66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":658,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469442201,"flow_dst_last_pkt_time":1648563469442152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":24498,"midstream":0,"thread_ts_usec":1648563469442201,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":28956.4,"max":204389,"stddev":59845.4,"var":3581476608.0,"ent":2.7,"data": [115764,115896,335,518,204207,77,204389,352,224,565,217,228,441,212,496,705,246,220,470,115050,221,115302,340,251,573,9235,226,9483,474,242,690]},"pktlen": {"min":54,"avg":834.0,"max":1415,"stddev":663.1,"var":439751.8,"ent":4.4,"data": [66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00908{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":831,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":303,"flow_dst_packets_processed":323,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830085160825,"flow_dst_last_pkt_time":1645830085160896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":403803,"flow_dst_tot_l4_payload_len":842,"midstream":0,"thread_ts_usec":1648563473087528,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":835,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":835,"packets-processed":834,"total-skipped-flows":0,"total-l4-payload-len":582320,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1650490398530577}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":835,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398530577,"flow_dst_last_pkt_time":1650490398530577,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650490398530577,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -21,7 +21,7 @@
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":837,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1650490398628126,"flow_dst_last_pkt_time":1650490398627831,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650490398628126,"pkt":"IOUqtpPxAAgCHEeuCABFAAAo\/mNAAIAGv44KBBRma6Gy0tQvAFBRzVZnDPZp\/FAQBAB7UAAAAAAAAAAA"}
 01082{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":838,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398628513,"flow_dst_last_pkt_time":1650490398627831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650490398628513,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"gandhitoday.org","http": {"url":"gandhitoday.org\/video\/6JvA8\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","detected_os":"Windows 10"}}}
 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":839,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398628513,"flow_dst_last_pkt_time":1650490398888771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1650490398888771,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"gandhitoday.org","http": {"url":"gandhitoday.org\/video\/6JvA8\/","code":200,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","detected_os":"Windows 10"}}}
-01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":866,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490399009658,"flow_dst_last_pkt_time":1650490399009514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":19432,"midstream":0,"thread_ts_usec":1650490399009658,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":30903.8,"max":260940,"stddev":65726.9,"var":4320020480.0,"ent":3.0,"data": [97254,97549,387,260940,260431,3204,3158,9543,9466,6236,69,6255,124,124,128,201,123,50,174,174,40,2646,2680,60630,60713,9884,9822,15114,15099,12868,12932,0]},"pktlen": {"min":60,"avg":671.7,"max":1442,"stddev":680.4,"var":462891.9,"ent":4.1,"data": [66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60]},"bins": {"c_to_s": [16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01832{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":866,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490399009658,"flow_dst_last_pkt_time":1650490399009514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":19432,"midstream":0,"thread_ts_usec":1650490399009658,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":30903.8,"max":260940,"stddev":65726.9,"var":4320020480.0,"ent":3.0,"data": [97254,97549,387,260940,260431,3204,3158,9543,9466,6236,69,6255,124,124,128,201,123,50,174,174,40,2646,2680,60630,60713,9884,9822,15114,15099,12868,12932]},"pktlen": {"min":60,"avg":671.7,"max":1442,"stddev":680.4,"var":462891.9,"ent":4.1,"data": [66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60]},"bins": {"c_to_s": [16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":72,"flow_dst_packets_processed":136,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563480808552,"flow_dst_last_pkt_time":1648563480808458,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":537,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":983,"flow_dst_tot_l4_payload_len":176692,"midstream":0,"thread_ts_usec":1650490407650290,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00565{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":1664,"packets-processed":1663,"total-skipped-flows":0,"total-l4-payload-len":1352571,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":3,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1650905413858492}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905413858492,"flow_dst_last_pkt_time":1650905413858492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905413858492,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -30,7 +30,7 @@
 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1666,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1650905414043020,"flow_dst_last_pkt_time":1650905414042728,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905414043020,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoLKZAAIAGOLwKBBllTWkknMKFAFDxFWwhKWw3CFAQAgOX4gAAAAAAAAAA"}
 01133{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1667,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414043252,"flow_dst_last_pkt_time":1650905414042728,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905414043252,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"filmmogzivota.rs","http": {"url":"filmmogzivota.rs\/SpryAssets\/gDR\/","code":0,"content_type":"","user_agent":"vBKbaQgjyvRRbcgfvlsc"}}}
 01286{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1669,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414043252,"flow_dst_last_pkt_time":1650905414335184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":572,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":572,"midstream":0,"thread_ts_usec":1650905414335184,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"filmmogzivota.rs","http": {"url":"filmmogzivota.rs\/SpryAssets\/gDR\/","code":200,"content_type":"application\/x-msdownload","user_agent":"vBKbaQgjyvRRbcgfvlsc"}}}
-01956{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1695,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414512477,"flow_dst_last_pkt_time":1650905414512421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":26616,"midstream":0,"thread_ts_usec":1650905414512477,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":56,"avg":42190.8,"max":292217,"stddev":79641.8,"var":6342810624.0,"ent":2.9,"data": [184236,184528,232,171817,120639,81,116,292217,2662,111,117,90,2892,2739,117,70,3040,164670,68,120,164820,2817,118,71,3042,2918,68,119,165,3158,56,0]},"pktlen": {"min":60,"avg":892.9,"max":1442,"stddev":652.6,"var":425943.0,"ent":4.5,"data": [66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60]},"bins": {"c_to_s": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01954{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1695,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414512477,"flow_dst_last_pkt_time":1650905414512421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":26616,"midstream":0,"thread_ts_usec":1650905414512477,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":56,"avg":42190.8,"max":292217,"stddev":79641.8,"var":6342810624.0,"ent":2.9,"data": [184236,184528,232,171817,120639,81,116,292217,2662,111,117,90,2892,2739,117,70,3040,164670,68,120,164820,2817,118,71,3042,2918,68,119,165,3158,56]},"pktlen": {"min":60,"avg":892.9,"max":1442,"stddev":652.6,"var":425943.0,"ent":4.5,"data": [66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60]},"bins": {"c_to_s": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":272,"flow_dst_packets_processed":557,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490407554682,"flow_dst_last_pkt_time":1650490407650290,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":770026,"midstream":0,"thread_ts_usec":1650905415845438,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467542773,"flow_dst_last_pkt_time":1650905467542773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905467542773,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1650905467542773,"flow_dst_last_pkt_time":1650905467542773,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905467542773,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C55AAIAGrZIKBBllisWTZcKLAbv3Q1KhAAAAAIAC\/\/8fUQAAAgQFtAEDAwgBAQQC"}
@@ -38,7 +38,7 @@
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2230,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1650905467652398,"flow_dst_last_pkt_time":1650905467652145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905467652398,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoC59AAIAGrZ0KBBllisWTZcKLAbv3Q1KiR\/jAO1AQBABT4AAAAAAAAAAA"}
 01248{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2231,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467652145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905467666537,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01673{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2233,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467789145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1378,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1378,"midstream":0,"thread_ts_usec":1650905467789145,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}}
-01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":58,"avg":116901.0,"max":1262510,"stddev":291863.6,"var":85184339968.0,"ent":2.7,"data": [109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,116,2919,118,0,0]},"pktlen": {"min":60,"avg":696.0,"max":1442,"stddev":663.2,"var":439900.2,"ent":4.2,"data": [66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442]},"bins": {"c_to_s": [11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1]}}
+01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":58,"avg":116901.0,"max":1262510,"stddev":291863.6,"var":85184339968.0,"ent":2.7,"data": [109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,116,2919,118]},"pktlen": {"min":60,"avg":696.0,"max":1442,"stddev":663.2,"var":439900.2,"ent":4.2,"data": [66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442]},"bins": {"c_to_s": [11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1]}}
 01676{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2359,"source":"emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905469778844,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905469778844,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2359,"source":"emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905469778844,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C9hAAIAGrVgKBBllisWTZcKMAbv+vEuFAAAAAIAC\/\/8e8wAAAgQFtAEDAwgBAQQC"}
@@ -58,10 +58,10 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6136246 bytes
-~~ total memory freed........: 6136246 bytes
+~~ total memory allocated....: 6136222 bytes
+~~ total memory freed........: 6136222 bytes
 ~~ total allocations/frees...: 123943/123943
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1961 chars
-~~ json string avg len.......: 1225 chars
+~~ json string max len.......: 1959 chars
+~~ json string avg len.......: 1224 chars
diff --git a/test/results/encrypted_sni.pcap.out b/test/results/encrypted_sni.pcap.out
index 57942b77b..faabbc921 100644
--- a/test/results/encrypted_sni.pcap.out
+++ b/test/results/encrypted_sni.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047013 bytes
-~~ total memory freed........: 6047013 bytes
+~~ total memory allocated....: 6047001 bytes
+~~ total memory freed........: 6047001 bytes
 ~~ total allocations/frees...: 121522/121522
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/esp.pcapng.out b/test/results/esp.pcapng.out
index 2afa16f3d..041ce8e83 100644
--- a/test/results/esp.pcapng.out
+++ b/test/results/esp.pcapng.out
@@ -20,8 +20,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037447 bytes
-~~ total memory freed........: 6037447 bytes
+~~ total memory allocated....: 6037439 bytes
+~~ total memory freed........: 6037439 bytes
 ~~ total allocations/frees...: 121503/121503
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/ethereum.pcap.out b/test/results/ethereum.pcap.out
index 7128f7be9..23d7dad97 100644
--- a/test/results/ethereum.pcap.out
+++ b/test/results/ethereum.pcap.out
@@ -86,11 +86,11 @@
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":109,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364654361,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364654361,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":171,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":171,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364654361,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"128.0.51.140","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523420,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364657828,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC8GWDwD0S1PwKgBuHZf3TTdrvLSmxdVZqAScSC43wAAAgQFrAQCCApOlRAnItiUTwEDAwc="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":126,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364657930,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364657930,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR0TAqAG4A9EtT900dl+bF1Vm3a7y04AQECxIFwAAAQEICiLYlNBOlRAn"}
-01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522958,"flow_src_last_pkt_time":1578508364631940,"flow_dst_last_pkt_time":1578508364658815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":495,"flow_dst_max_l4_payload_len":448,"flow_src_tot_l4_payload_len":735,"flow_dst_tot_l4_payload_len":512,"midstream":0,"thread_ts_usec":1578508364658815,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7898.0,"max":63466,"stddev":18325.6,"var":335828128.0,"ent":2.4,"data": [42899,42982,2208,63466,818,46,62123,6,373,313,356,354,126,10,127,6,123,159,339,3,86,17,41,85,11,59,21,32,10,27626,14,0]},"pktlen": {"min":60,"avg":105.2,"max":561,"stddev":114.1,"var":13011.4,"ent":4.5,"data": [78,74,66,561,66,514,98,66,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522958,"flow_src_last_pkt_time":1578508364631940,"flow_dst_last_pkt_time":1578508364658815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":495,"flow_dst_max_l4_payload_len":448,"flow_src_tot_l4_payload_len":735,"flow_dst_tot_l4_payload_len":512,"midstream":0,"thread_ts_usec":1578508364658815,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7898.0,"max":63466,"stddev":18325.6,"var":335828128.0,"ent":2.4,"data": [42899,42982,2208,63466,818,46,62123,6,373,313,356,354,126,10,127,6,123,159,339,3,86,17,41,85,11,59,21,32,10,27626,14]},"pktlen": {"min":60,"avg":105.2,"max":561,"stddev":114.1,"var":13011.4,"ent":4.5,"data": [78,74,66,561,66,514,98,66,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":140,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364659294,"flow_dst_last_pkt_time":1578508364659294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364659294,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364659294,"flow_dst_last_pkt_time":1578508364659294,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364659294,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGv5TAqAG4KEOQgN02dl98bCWSAAAAALAC\/\/8OmwAAAgQFtAEDAwUBAQgKItiU0QAAAAAEAgAA"}
 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":141,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364659971,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":395,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364659971,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364523356,"flow_src_last_pkt_time":1578508364663606,"flow_dst_last_pkt_time":1578508364664348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":404,"flow_src_tot_l4_payload_len":1106,"flow_dst_tot_l4_payload_len":612,"midstream":0,"thread_ts_usec":1578508364664348,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9072.3,"max":62996,"stddev":18852.3,"var":355411104.0,"ent":2.7,"data": [42941,42985,1880,62851,2026,2,12,7,1,62996,2,23,5,115,83,3,1324,29,68,8,50,438,29,39,9,101,32217,29,13,30178,778,0]},"pktlen": {"min":66,"avg":121.8,"max":612,"stddev":122.8,"var":15078.8,"ent":4.5,"data": [78,74,66,612,66,470,98,67,222,69,66,66,66,66,82,66,66,98,67,190,69,82,98,67,114,81,82,78,78,78,338,78]},"bins": {"c_to_s": [14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364523356,"flow_src_last_pkt_time":1578508364663606,"flow_dst_last_pkt_time":1578508364664348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":404,"flow_src_tot_l4_payload_len":1106,"flow_dst_tot_l4_payload_len":612,"midstream":0,"thread_ts_usec":1578508364664348,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9072.3,"max":62996,"stddev":18852.3,"var":355411104.0,"ent":2.7,"data": [42941,42985,1880,62851,2026,2,12,7,1,62996,2,23,5,115,83,3,1324,29,68,8,50,438,29,39,9,101,32217,29,13,30178,778]},"pktlen": {"min":66,"avg":121.8,"max":612,"stddev":122.8,"var":15078.8,"ent":4.5,"data": [78,74,66,612,66,470,98,67,222,69,66,66,66,66,82,66,66,98,67,190,69,82,98,67,114,81,82,78,78,78,338,78]},"bins": {"c_to_s": [14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364522823,"flow_dst_last_pkt_time":1578508364667606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364667606,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEG8jtCKlL2wKgBuHZf3SQj+YV4f2iiaKAScSArVwAAAgQFrAQCCAodkmB\/ItiUTwEDAwc="}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":182,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364667656,"flow_dst_last_pkt_time":1578508364667606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364667656,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG40PAqAG4QipS9t0kdl9\/aKJoI\/mFeYAQECy6hgAAAQEICiLYlNgdkmB\/"}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364632239,"flow_dst_last_pkt_time":1578508364668680,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364668680,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEGF+czJjxPwKgBuHZf3TW8w0qY6ojTGKAScSDV+QAAAgQFrAQCCAphOp2qItiUuAEDAwc="}
@@ -109,7 +109,7 @@
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364522827,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364717778,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACMGVBhoKtkZwKgBuHZf3SMhYrdg7BRmI6AS\/ohxlQAAAgQFoAQCCAru0q\/IItiUTwEDAwc="}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364717893,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364717893,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGNyDAqAG4aCrZGd0jdl\/sFGYjIWK3YYAQEAmOFAAAAQEICiLYlQju0q\/I"}
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":240,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364719135,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364719135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01759{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":242,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523418,"flow_src_last_pkt_time":1578508364659019,"flow_dst_last_pkt_time":1578508364721593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":402,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":466,"midstream":0,"thread_ts_usec":1578508364721593,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.255.23.113","src_port":56627,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":10767.0,"max":70198,"stddev":24163.0,"var":583848512.0,"ent":2.4,"data": [70028,70198,1425,62112,2103,2,2,32,23,22,62731,3,15,11,2,8,85,118,636,45,106,25,18,64,32,95,10,50,9,63729,37,0]},"pktlen": {"min":60,"avg":104.3,"max":578,"stddev":111.3,"var":12394.7,"ent":4.5,"data": [78,74,66,578,66,468,98,67,68,79,82,66,66,66,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":242,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523418,"flow_src_last_pkt_time":1578508364659019,"flow_dst_last_pkt_time":1578508364721593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":402,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":466,"midstream":0,"thread_ts_usec":1578508364721593,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.255.23.113","src_port":56627,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":10767.0,"max":70198,"stddev":24163.0,"var":583848512.0,"ent":2.4,"data": [70028,70198,1425,62112,2103,2,2,32,23,22,62731,3,15,11,2,8,85,118,636,45,106,25,18,64,32,95,10,50,9,63729,37]},"pktlen": {"min":60,"avg":104.3,"max":578,"stddev":111.3,"var":12394.7,"ent":4.5,"data": [78,74,66,578,66,468,98,67,68,79,82,66,66,66,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 01930{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364729181,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1097,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1097,"pkt_l4_len":1063,"thread_ts_usec":1578508364729181,"pkt":"KDc3AG3IEBMx8Tl2CABFAAQ7gO1AADART9iAADOMwKgBuHZfdl8EJxcg9PffAeslidE0A2XYKUWPfQSrSzELT24RQsZMkDFAUC\/8t71UobxaKgVF9YFxtOS9Li4RLrxMDnrT4k5PGgw2NDHZtKrKg8J\/d2YlScEj\/YBR+sG3bhx8yqSCwFLu+QmtAQT5A7r5A7L4TYRQniRSgnZfgnZfuEDy+3Y1qZpk8\/KZSHkhI\/dUtq2PmnojEAJ+pvc2bi3A23IJ6RM8OAW49hm6EgP+nw9QrdJ1FOvq3+1MzaqVwKmC+E2ETi\/CnoJ2X4J2X7hA+Q4zg2oOekCIJoV1y\/ualFI8sA2WiSVXjBsUf\/fkEaUBa4ucL3qlgbfTJJpR6RtQSjEN0kW4Om6HGzu56xhcP\/hNhF6CJvWCdl+Cdl+4QCa0AdVA2\/h5KxbzG7wSXhKLcgLDQf3VZM6j4pcDpEr22I0w8vjr3eeZrANzqy+B0k7Jw6sj9qOYOkYu9v1\/HcL4S4QXZGXDgsVFgLhA4dMHiHESZvaZv5XwOSEg7GIAhtTuq\/1+kuZamW7NEWy5Mx7jYjqriPSY+yi8MCrIJ809xx8ts8E05ybrI5RK9vhNhHTKaT+Cdl+Cdl+4QNscTNh1YzVnvcLB2a2lU2bz3gyaTlXXbE+pFLDVoDdFI5ADpod42cruH9wQt79YZLxlJa01FygTlV6X9wnzbsb4TYRSpWAfgnZhgnZhuECxFAegsyOgyfrql\/zztxCELDSekbbhUJf21H8iSNiW9cKP2xirrTz8RKLVHxNA2LkFNcMF8l9m+GUUJJ3wo0ve+E2EZ\/0rzIJ2X4J2X7hA0+1Q\/zfDwmqiJ4L7\/yvPXaADca3\/aoKeqi6XasejIDSTPmS2ILmdZ2LgwWGNQRAtsR66VqR5PIUppHE6JTXzu\/hNhC9aDGqCdl+Cdl+4QEWucUJTr5uswusybUrNZinvmACa+spHP3M8Ca80aMiKTDP2An9QqqbsJgkcvDnFqQSdwmVB0j3FFWWOWXchmBH4TYQ03B+BglLcglLcuEC4ECYNzxwi2kJoJQjyJ6lUniuRlC+UndNWqAZRufW0X533Ymm1WtW8x0w\/1eGqPwGeOGNfU57w7mmrZv5S0MuC+E2EoBCKUoJ2X4J2X7hA7pvrsi4uzujUwcCnzbOXM3k+PSTxp6vSaGlZ+vjNNS2DLnFg12pt76j1a3+aMxZ2sjeuJ4ACTqyhbBihj1yObfhNhLB96meCdl+Cdl+4QMGwHxHg22IaagGZCrHWyox4ceWSrkz5+TUJ7FvSKEAsyUrKnBQ1BKg4U4OyDXv653Ump5Su2Klg\/PAjth\/4FVX4TYQDCFzcgnZfgnZfuEAOe5LjgOGocDnrwWucrGwohrnh\/PIVvUNi2EPcxA3lL9o2I1kGKrrcltIHdy07g5GmzReWD9IntTCd9ncDRnHuhF4WIGA="}
 01070{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":253,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364729798,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":467,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":467,"pkt_l4_len":433,"thread_ts_usec":1578508364729798,"pkt":"KDc3AG3IEBMx8Tl2CABFAAHFgO5AADARUk2AADOMwKgBuHZfdl8BsUbFE+HTPyEyomNSay73CyfrLD8rHnhX7vxj92G3He3rB8i3yggvxA3gI120fMxC8T5NSVg69zUML0xXdXDn6x+i1UJlYzm2ZsL8HkXRcVxsD7\/Cz8uc2cDeR5GmI31rs3BBAAT5AUT5ATz4TYRWzyr3gnZfgnZfuEAwPG4npPFCKterF6wXX6hmKDtHpPLV5Gpyh4HRvQlb1WOtMBiFa5iB1p48IlU7yQzlUhHlEKU2TAWk+UxWCOtE+E2EwKkGMYJ2X4J2X7hAXDWjwnntCdEfY7ZsbIcma6dZim0sS\/6AZlg+cBMsOylaupmT4K85DC7A88jAAB9\/AkNP7Q7FRuWOzTw655z20fhNhF\/YD6SCdl+Cdl+4QMhe7o3oH5yNMBpAbg7BFfLQiRhzAx0IcRlGupvV\/Zui89t4l4x5tGAZhBv4cgNKbiHVFqGfCeCtDh7KA5ZNUtn4TYQ2yX4zgnZfgnZfuEBWXo894U5qji3Sd9oPTupJEBwpi5JkOWop7uGO9PMehSCnS4eHg4+tauk7NJIwG19teeCjKxS93DtycMhLIWGEhF4WIGA="}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":254,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364732443,"flow_src_last_pkt_time":1578508364732443,"flow_dst_last_pkt_time":1578508364732443,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364732443,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"111.229.0.180","src_port":30303,"dst_port":20182,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -128,7 +128,7 @@
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523109,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364786203,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC0GKKu\/6qLGwKgBuHZf3SxpEHBBX7euwaAS\/ohj6AAAAgQFoAQCCAo0GJnqItiUTwEDAwc="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364786273,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364786273,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGFbPAqAG4v+qixt0sdl9ft67BaRBwQoAQEAmAJwAAAQEICiLYlUg0GJnq"}
 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":275,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508364786351,"flow_dst_last_pkt_time":1578508364784751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364786351,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01753{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1578508364632239,"flow_src_last_pkt_time":1578508364714483,"flow_dst_last_pkt_time":1578508364786943,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":421,"flow_dst_max_l4_payload_len":340,"flow_src_tot_l4_payload_len":661,"flow_dst_tot_l4_payload_len":404,"midstream":0,"thread_ts_usec":1578508364786943,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7643.5,"max":72892,"stddev":17918.8,"var":321082976.0,"ent":2.4,"data": [36441,36500,1495,43967,497,46,63,13,18,43065,4,1,1,17,703,21,64,47,32,88,50,77,17,30,32,72892,13,7,734,1,12,0]},"pktlen": {"min":60,"avg":99.0,"max":487,"stddev":93.3,"var":8701.2,"ent":4.6,"data": [78,74,66,487,66,406,98,67,68,95,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60]},"bins": {"c_to_s": [15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1578508364632239,"flow_src_last_pkt_time":1578508364714483,"flow_dst_last_pkt_time":1578508364786943,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":421,"flow_dst_max_l4_payload_len":340,"flow_src_tot_l4_payload_len":661,"flow_dst_tot_l4_payload_len":404,"midstream":0,"thread_ts_usec":1578508364786943,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7643.5,"max":72892,"stddev":17918.8,"var":321082976.0,"ent":2.4,"data": [36441,36500,1495,43967,497,46,63,13,18,43065,4,1,1,17,703,21,64,47,32,88,50,77,17,30,32,72892,13,7,734,1,12]},"pktlen": {"min":60,"avg":99.0,"max":487,"stddev":93.3,"var":8701.2,"ent":4.6,"data": [78,74,66,487,66,406,98,67,68,95,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60]},"bins": {"c_to_s": [15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":285,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508364787529,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":512,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364787529,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":286,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364714836,"flow_dst_last_pkt_time":1578508364789015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364789015,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAADMGVclSkdz5wKgBuHZf3TlFnUTdn3ylU6AScSDFhwAAAgQFrAQCCAqGNr5sItiVBQEDAwc="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":287,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364789130,"flow_dst_last_pkt_time":1578508364789015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364789130,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGSNnAqAG4UpHc+d05dl+ffKVTRZ1E3oAQECxU+wAAAQEICiLYlUqGNr5s"}
@@ -155,8 +155,8 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":384,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523145,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364877648,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACEGk4U0u88bwKgBuHZf3S3Pd7n11PppgaAS\/oiD+wAAAgQFoAQCCApvJb2EItiUTwEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":385,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364877742,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364877742,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGdI3AqAG4NLvPG90tdl\/U+mmBz3e59oAQEAmf6AAAAQEICiLYlZpvJb2E"}
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508364879259,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364879259,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364682687,"flow_src_last_pkt_time":1578508364832409,"flow_dst_last_pkt_time":1578508364898847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":479,"flow_dst_max_l4_payload_len":439,"flow_src_tot_l4_payload_len":719,"flow_dst_tot_l4_payload_len":503,"midstream":0,"thread_ts_usec":1578508364898847,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11802.6,"max":78584,"stddev":26563.9,"var":705640768.0,"ent":2.4,"data": [68454,68561,1411,78125,1877,68,78584,38,219,12,4,177,15,1,106,11,115,2,426,13,74,15,66,39,30,87,16,26,26,67245,39,0]},"pktlen": {"min":60,"avg":104.4,"max":545,"stddev":111.1,"var":12335.6,"ent":4.5,"data": [78,74,66,545,66,505,98,66,66,67,68,79,66,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":408,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508364714836,"flow_src_last_pkt_time":1578508364867557,"flow_dst_last_pkt_time":1578508364919424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":682,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508364919424,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11526.1,"max":77251,"stddev":26248.2,"var":688970368.0,"ent":2.4,"data": [74179,74294,1198,77251,76054,663,12,594,2,179,16,57,19,60,67,15,72,28,42,24,51962,31,247,15,13,11,81,2,10,6,105,0]},"pktlen": {"min":60,"avg":101.1,"max":508,"stddev":105.3,"var":11090.0,"ent":4.6,"data": [78,74,66,508,488,66,98,98,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364682687,"flow_src_last_pkt_time":1578508364832409,"flow_dst_last_pkt_time":1578508364898847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":479,"flow_dst_max_l4_payload_len":439,"flow_src_tot_l4_payload_len":719,"flow_dst_tot_l4_payload_len":503,"midstream":0,"thread_ts_usec":1578508364898847,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11802.6,"max":78584,"stddev":26563.9,"var":705640768.0,"ent":2.4,"data": [68454,68561,1411,78125,1877,68,78584,38,219,12,4,177,15,1,106,11,115,2,426,13,74,15,66,39,30,87,16,26,26,67245,39]},"pktlen": {"min":60,"avg":104.4,"max":545,"stddev":111.1,"var":12335.6,"ent":4.5,"data": [78,74,66,545,66,505,98,66,66,67,68,79,66,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":408,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508364714836,"flow_src_last_pkt_time":1578508364867557,"flow_dst_last_pkt_time":1578508364919424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":682,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508364919424,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11526.1,"max":77251,"stddev":26248.2,"var":688970368.0,"ent":2.4,"data": [74179,74294,1198,77251,76054,663,12,594,2,179,16,57,19,60,67,15,72,28,42,24,51962,31,247,15,13,11,81,2,10,6,105]},"pktlen": {"min":60,"avg":101.1,"max":508,"stddev":105.3,"var":11090.0,"ent":4.6,"data": [78,74,66,508,488,66,98,98,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":435,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364922060,"flow_src_last_pkt_time":1578508364922060,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364922060,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.233.197.131","src_port":56637,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":435,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364922060,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364922060,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGjuvAqAG4I+nFg909dl+ptEcpAAAAALAC\/\/+OGAAAAgQFtAEDAwUBAQgKItiVxAAAAAAEAgAA"}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":445,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508364924936,"flow_dst_last_pkt_time":1578508364924936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364924936,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -169,7 +169,7 @@
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508364932939,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364932939,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508364932939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364932939,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGvd3AqAG4Etunn90\/dl9+5\/UeAAAAALAC\/\/851wAAAgQFtAEDAwUBAQgKItiVzQAAAAAEAgAA"}
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":473,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508364933835,"flow_dst_last_pkt_time":1578508364932308,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":571,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364933835,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":475,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364824407,"flow_dst_last_pkt_time":1578508364936429,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":470,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":534,"midstream":0,"thread_ts_usec":1578508364936429,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23032.1,"max":164457,"stddev":52707.1,"var":2778034688.0,"ent":2.4,"data": [134408,134510,2041,164457,730,163149,164,16,91,13,125,16,10,133,2,2,198,213,439,13,62,28,71,55,19,91,9,24,22,112857,28,0]},"pktlen": {"min":60,"avg":103.0,"max":536,"stddev":105.0,"var":11031.5,"ent":4.6,"data": [78,74,66,461,66,536,66,98,67,66,66,68,79,82,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":475,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364824407,"flow_dst_last_pkt_time":1578508364936429,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":470,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":534,"midstream":0,"thread_ts_usec":1578508364936429,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23032.1,"max":164457,"stddev":52707.1,"var":2778034688.0,"ent":2.4,"data": [134408,134510,2041,164457,730,163149,164,16,91,13,125,16,10,133,2,2,198,213,439,13,62,28,71,55,19,91,9,24,22,112857,28]},"pktlen": {"min":60,"avg":103.0,"max":536,"stddev":105.0,"var":11031.5,"ent":4.6,"data": [78,74,66,461,66,536,66,98,67,66,66,68,79,82,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 01936{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364925232,"flow_dst_last_pkt_time":1578508364954898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1099,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1099,"pkt_l4_len":1065,"thread_ts_usec":1578508364954898,"pkt":"KDc3AG3IEBMx8Tl2CABFAAQ91J1AACwRmVQjtPapwKgBuHZddl8EKaTIL6PiPVD76wxxux15bHRlnSs2av4nBFSV7v4bhHiIpeAMxLmbK8f6wiaJfQicCaKdl2RU3riNA4G85e32CrySn3+r4nugeiGUNmLmJTGwe70KAk\/1yl9pMbVr5iHiC9EbAQT5A7z5A7T4TYSnVnoygnZfgnZfuECQJNyxBglNPC+n9m4t\/W08TtywpdWYdWjkRxmhkajaDCz+gK\/mbTitDTyIYj\/DM6dFql13rAhhOsl+TepFcV7R+E2EVmvzPoJ2X4J2X7hAs1lDgaitKFA3cxLdFsLwt7VebQyms4a6o\/fivZtKo8AkJ6dL4w4Dn4+\/vC\/\/JsKeSIScYYBOpqnxxVMZ+XWFxvhNhIui\/9KCdl+Cdl+4QKesUvPGk3pcExPSpjjyYak+S\/zgRaKyCtkCAnADlTupsK\/kU6vbTyjVeYLvjRqhlLfuaobh1XsP1yYWbMEwCkP4TYROL5ObgnZfgnZfuEBjjxCUsfvwMHRxTE5YrP7+ISCuREmPbKrzjoabqIoNEUz\/YRnAV2w6k47DZjKIksCMD5bt88unhn0EsLYp\/SzX+E2EXkQ3ooJ2X4J2X7hAPuP3gMJbiMdT+jVwpl443XaSBNUfQ0qZUmbru+9L8er4h7zKFM+7c1K4WVxLv0mgiZa++5g5WXQyn8nQTgubb\/hNhIpLq76Cdl+Cdl+4QPw+TE9tCaxzvKUZLrSUydGaIDt2Km6jvC1h7Hg9CIqQESMae7r6mkOxEncigdCNSYhdj\/fphc\/puhfvJzVEsBH4TYQj6yXYgnZfgnZfuEC5nQSZ\/xzD17vSEoHg\/jtmGLuRaM3q97\/3Czva8FggRyrw44MHO8OtruMk8OoTJc88hHmdKvMBoeGC+K0eEhFi+E2Ep1ZKIYJ2XYJ2XbhAYZoPsgtYlBM737vFkYUTo\/9EphiWRNvy3F9PFQKE60Wg2vh7fDKeVFJ2s+C3+rlsvule\/8FMZch7lhCdhu+rUPhNhJ3mmFeCdl+Cdl+4QGQs+WUN2IadQlJdv2hYAS47TWT0deczhHq293QjQaQ5dBSGXZU4dOj17ZGw5OHFM97hStHWuydqVFmyRxRg\/w34TYQ050sDgsVJgsVJuEDzSXu93jNII3idYaebqM1QwrATGCoZMfOLWHKo8\/HNEvGmOW1TsZdycKJciiZgh6ud1sRz67L9tP+HeODfKFTV+E2EDfsOx4J2X4J2X7hAH7mV1eGOz5WoeIocWFwRYF7ZVBDRcdtaFFH5u23BFJ62FH1ch71cEmxc8OtYpiPqb2N3y6mQjsQPeWAgtQws9vhNhCPknjSCdl+Cdl+4QFeAPtyTjNbAmZsxJ+YSStMfUptpi+Ck9CtWlo\/Fnkmot5zzhg4wYebjEaqIDMNNKgYreTwT+o6X4euclIzcKBSEXhYgYA=="}
 01076{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":487,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364925232,"flow_dst_last_pkt_time":1578508364954930,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":467,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":467,"pkt_l4_len":433,"thread_ts_usec":1578508364954930,"pkt":"KDc3AG3IEBMx8Tl2CABFAAHF1J5AACwRm8sjtPapwKgBuHZddl8BsQR1SNeP1ZrG\/ZwtEcGW5vGA0sDGp78prdWhxHtDqEDU7PNKL6kZEdICkE\/ClTr5riDvJ\/S0Juy5pZvsiDZ34LyanRNXXRjpzjohXnlvDARKWl\/FPyuFUx\/5q7iG79kKNiaGAAT5AUT5ATz4TYS5GczRgm\/xgm\/xuEBa13f1PeAY+pXn+QDG2H2vRnbUjALc47yKM1DGaLaCBXAmqDZbTzNfSqGBTAVPFFnsJtnCFC0Fv0w0bIIRmdWp+E2EijsROoJ2X4J2X7hAJi3PrTUi8k0+hp72TGveiEIya6qIgjO27CDPgcM2XClPC4ML\/96HDCNIKvA6L6b3KKoTFoGm44u2hTJ2hJ9PJvhNhM+0ztiCdl+Cdl+4QCCTHaJCBMKOiAeM0+J0ILaNmDQGKBpq95aDifzAyS6BBPIijEGzkyTvF6L1V27y7PdVSWOVkbAaliLEx1mlVCv4TYRf2EBxgnX+gnX+uEAuHZY2QcmV8WQCz4M\/VG5LfG7tHam\/sFovnjhq\/yEXmxTFgIMHUbncizgn1Jn7XeiL7CoOoCVHxB7uvvn28VO3hF4WIGA="}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":488,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364924936,"flow_dst_last_pkt_time":1578508364957524,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364957524,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGw5PR+vDNwKgBuHZf3T7\/g0hGkL7bbKAScSAsgwAAAgQFrAQCCAoN8FcJItiVxgEDAwc="}
@@ -184,13 +184,13 @@
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":568,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365021490,"flow_dst_last_pkt_time":1578508365021490,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365021490,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGuz\/AqAG4sj4K2t1Cdl8xVnl5AAAAALAC\/\/8AHAAAAgQFtAEDAwUBAQgKItiWHgAAAAAEAgAA"}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":569,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365029590,"flow_dst_last_pkt_time":1578508365029590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365029590,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":569,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365029590,"flow_dst_last_pkt_time":1578508365029590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365029590,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGqGLAqAG4sj4dt91Ddl+W2yuDAAAAALAC\/\/\/VpgAAAgQFtAEDAwUBAQgKItiWJgAAAAAEAgAA"}
-01777{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508365038162,"flow_dst_last_pkt_time":1578508365038195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":415,"flow_dst_max_l4_payload_len":494,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":686,"midstream":0,"thread_ts_usec":1578508365038195,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7306.0,"max":43142,"stddev":14269.1,"var":203606176.0,"ent":2.8,"data": [32588,32677,1133,41248,3045,43142,1077,15,57,29,33,2220,3,33,1051,3,12,110,51,429,10,11,17,141,33844,34,22,20,33327,11,92,0]},"pktlen": {"min":66,"avg":120.0,"max":560,"stddev":112.4,"var":12624.2,"ent":4.6,"data": [78,74,66,481,66,560,66,98,67,190,69,82,98,67,209,66,66,66,82,66,98,67,114,81,82,78,78,78,78,226,178,66]},"bins": {"c_to_s": [13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508365038162,"flow_dst_last_pkt_time":1578508365038195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":415,"flow_dst_max_l4_payload_len":494,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":686,"midstream":0,"thread_ts_usec":1578508365038195,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7306.0,"max":43142,"stddev":14269.1,"var":203606176.0,"ent":2.8,"data": [32588,32677,1133,41248,3045,43142,1077,15,57,29,33,2220,3,33,1051,3,12,110,51,429,10,11,17,141,33844,34,22,20,33327,11,92]},"pktlen": {"min":66,"avg":120.0,"max":560,"stddev":112.4,"var":12624.2,"ent":4.6,"data": [78,74,66,481,66,560,66,98,67,190,69,82,98,67,209,66,66,66,82,66,98,67,114,81,82,78,78,78,78,226,178,66]},"bins": {"c_to_s": [13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":598,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365038942,"flow_src_last_pkt_time":1578508365038942,"flow_dst_last_pkt_time":1578508365038942,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365038942,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.230.108.42","src_port":56644,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":598,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365038942,"flow_dst_last_pkt_time":1578508365038942,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365038942,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG\/kfAqAG4DeZsKt1Edl+KMGOvAAAAALAC\/\/8AAwAAAgQFtAEDAwUBAQgKItiWLQAAAAAEAgAA"}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":605,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365009842,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365039176,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGe3mQW3iHwKgBuHZf3UEpl2emdDhi4qAScSAVuAAAAgQFrAQCCArbhaVwItiWFAEDAwc="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":606,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365039222,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365039222,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGb4HAqAG4kFt4h91Bdl90OGLiKZdnp4AQECylVgAAAQEICiLYli7bhaVw"}
 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":607,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365009842,"flow_src_last_pkt_time":1578508365040566,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365040566,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"144.91.120.135","src_port":56641,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":617,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364932664,"flow_dst_last_pkt_time":1578508365043187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":423,"flow_src_tot_l4_payload_len":671,"flow_dst_tot_l4_payload_len":487,"midstream":0,"thread_ts_usec":1578508365043187,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21202.0,"max":158141,"stddev":48725.8,"var":2374199552.0,"ent":2.4,"data": [158073,158141,1927,112688,964,45,111769,2,97,24,66,10,893,34,92,13,26,143,3,148,30,48,25,111098,32,825,2,26,2,1,16,0]},"pktlen": {"min":60,"avg":101.3,"max":497,"stddev":103.8,"var":10779.3,"ent":4.6,"data": [78,74,66,497,66,489,98,66,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":617,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364932664,"flow_dst_last_pkt_time":1578508365043187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":423,"flow_src_tot_l4_payload_len":671,"flow_dst_tot_l4_payload_len":487,"midstream":0,"thread_ts_usec":1578508365043187,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21202.0,"max":158141,"stddev":48725.8,"var":2374199552.0,"ent":2.4,"data": [158073,158141,1927,112688,964,45,111769,2,97,24,66,10,893,34,92,13,26,143,3,148,30,48,25,111098,32,825,2,26,2,1,16]},"pktlen": {"min":60,"avg":101.3,"max":497,"stddev":103.8,"var":10779.3,"ent":4.6,"data": [78,74,66,497,66,489,98,66,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365045064,"flow_dst_last_pkt_time":1578508365045064,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365045064,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365045064,"flow_dst_last_pkt_time":1578508365045064,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365045064,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGOT7AqAG4uduFPt1Fdl+PNscoAAAAALAC\/\/\/ScwAAAgQFtAEDAwUBAQgKItiWMgAAAAAEAgAA"}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":646,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508365063785,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365063785,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACMG2uES26efwKgBuHZf3T9fy8\/Lfuf1H6ASaN8cNgAAAgQFrAQCCAoSyYNbItiVzQEDAwc="}
@@ -210,16 +210,16 @@
 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":718,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365094017,"flow_dst_last_pkt_time":1578508365092283,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":410,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365094017,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":728,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365094625,"flow_src_last_pkt_time":1578508365094625,"flow_dst_last_pkt_time":1578508365094625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365094625,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"182.162.161.61","src_port":56647,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":728,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365094625,"flow_dst_last_pkt_time":1578508365094625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365094625,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGIHjAqAG4tqKhPd1Hdl8HffxGAAAAALAC\/\/8MGQAAAgQFtAEDAwUBAQgKItiWYAAAAAAEAgAA"}
-01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":732,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364921758,"flow_dst_last_pkt_time":1578508365096545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":467,"flow_src_tot_l4_payload_len":730,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365096545,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":31375.8,"max":202293,"stddev":71334.6,"var":5088628224.0,"ent":2.4,"data": [194951,195066,1242,202293,279,25,201303,2,92,53,99,12,102,9,99,103,126,125,566,17,55,13,75,43,16,62,14,42,23,175388,354,0]},"pktlen": {"min":60,"avg":105.8,"max":556,"stddev":115.5,"var":13350.2,"ent":4.5,"data": [78,74,66,556,66,533,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":732,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364921758,"flow_dst_last_pkt_time":1578508365096545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":467,"flow_src_tot_l4_payload_len":730,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365096545,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":31375.8,"max":202293,"stddev":71334.6,"var":5088628224.0,"ent":2.4,"data": [194951,195066,1242,202293,279,25,201303,2,92,53,99,12,102,9,99,103,126,125,566,17,55,13,75,43,16,62,14,42,23,175388,354]},"pktlen": {"min":60,"avg":105.8,"max":556,"stddev":115.5,"var":13350.2,"ent":4.5,"data": [78,74,66,556,66,533,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":755,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365079165,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365104666,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAADMGeqysaV4+wKgBuHZf3UajVVX7HTpq6KAS\/ojIGAAAAgQFrAQCCAobAQsKItiWUQEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":756,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365104768,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365104768,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGbbzAqAG4rGlePt1Gdl8dOmroo1VV\/IAQECzlIgAAAQEICiLYlmgbAQsK"}
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":757,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365105962,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":474,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365105962,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":842,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508365044863,"flow_dst_last_pkt_time":1578508365151822,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":513,"flow_src_tot_l4_payload_len":811,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":1578508365151822,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":17655.5,"max":109385,"stddev":39696.4,"var":1575808128.0,"ent":2.4,"data": [107626,107678,1475,109033,1825,109385,687,13,52,13,68,1028,198,109,79,136,133,112,7,116,2,80,130,42,5,71,30,33,21,107121,13,0]},"pktlen": {"min":60,"avg":109.6,"max":637,"stddev":130.9,"var":17130.1,"ent":4.4,"data": [78,74,66,637,66,579,66,98,67,190,69,82,98,66,67,66,68,66,79,82,66,66,98,66,67,66,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":842,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508365044863,"flow_dst_last_pkt_time":1578508365151822,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":513,"flow_src_tot_l4_payload_len":811,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":1578508365151822,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":17655.5,"max":109385,"stddev":39696.4,"var":1575808128.0,"ent":2.4,"data": [107626,107678,1475,109033,1825,109385,687,13,52,13,68,1028,198,109,79,136,133,112,7,116,2,80,130,42,5,71,30,33,21,107121,13]},"pktlen": {"min":60,"avg":109.6,"max":637,"stddev":130.9,"var":17130.1,"ent":4.4,"data": [78,74,66,637,66,579,66,98,67,190,69,82,98,66,67,66,68,66,79,82,66,66,98,66,67,66,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":900,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365153718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365153718,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":900,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365153718,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365153718,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGWefAqAG4I+T6jN1Kdl95PEStAAAAALAC\/\/+LMAAAAgQFtAEDAwUBAQgKItiWjwAAAAAEAgAA"}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":904,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365154075,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365154075,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":904,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365154075,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365154075,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG4TfAqAG4iskMV91Ldl\/HR3E5AAAAALAC\/\/+X6AAAAgQFtAEDAwUBAQgKItiWjwAAAAAEAgAA"}
-01771{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":911,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365168387,"flow_dst_last_pkt_time":1578508365168448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":469,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365168448,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":8956.6,"max":48881,"stddev":17793.5,"var":316609056.0,"ent":2.7,"data": [44428,44545,1146,47405,2629,34,48881,2,106,60,120,15,121,3,107,116,574,31,61,16,57,386,11,31,13,50,43304,549,42693,151,10,0]},"pktlen": {"min":66,"avg":106.9,"max":535,"stddev":97.8,"var":9570.5,"ent":4.6,"data": [78,74,66,535,66,384,98,66,66,67,66,191,68,66,66,82,66,98,67,190,69,82,98,67,114,81,82,66,98,66,67,70]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":911,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365168387,"flow_dst_last_pkt_time":1578508365168448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":469,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365168448,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":8956.6,"max":48881,"stddev":17793.5,"var":316609056.0,"ent":2.7,"data": [44428,44545,1146,47405,2629,34,48881,2,106,60,120,15,121,3,107,116,574,31,61,16,57,386,11,31,13,50,43304,549,42693,151,10]},"pktlen": {"min":66,"avg":106.9,"max":535,"stddev":97.8,"var":9570.5,"ent":4.6,"data": [78,74,66,535,66,384,98,66,66,67,66,191,68,66,66,82,66,98,67,190,69,82,98,67,114,81,82,66,98,66,67,70]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":924,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365169225,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365169225,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":924,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365169225,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365169225,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGP33AqAG4sAmI0d1Mdl8ouUvbAAAAALAC\/\/+6CgAAAgQFtAEDAwUBAQgKItiWngAAAAAEAgAA"}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":928,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365186673,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365186673,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIG7zuKyQxXwKgBuHZf3Uu6UG6Lx0dxOqAScSDP1QAAAgQFrAQCCAq1b4mgItiWjwEDAwc="}
@@ -230,7 +230,7 @@
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365189369,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365189369,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":30303,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365189369,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcflcAAEARfx\/AqAG4Etunn3Zfdl8AiGnBB7Pc5ZlsDZTbUrqaaoRxeL1l7Crbcxf\/BOXFZNGdyZsOxpmBlW67u9+KWe59CkWnKw2GIsEnEKk87oxTf3me3BvKcrMQD0jXMXlBXiHkLViPnwRaOVxyx4odh7D\/BO97AAHdBMuEfwAAAYJ2X4J2X8mEEtunn4J2X4CEXhYgYQU="}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365189369,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365189369,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":966,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365193903,"flow_dst_last_pkt_time":1578508365193933,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":698,"flow_dst_tot_l4_payload_len":623,"midstream":0,"thread_ts_usec":1578508365193933,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9603.5,"max":51634,"stddev":18821.1,"var":354234048.0,"ent":2.8,"data": [47219,47359,1594,49528,3728,51634,828,16,1020,92,14,1,37,127,71,134,135,105,102,138,138,353,12,12,16,83,45623,1100,32,46342,115,0]},"pktlen": {"min":66,"avg":107.9,"max":476,"stddev":97.7,"var":9536.3,"ent":4.6,"data": [78,74,66,476,66,448,66,98,67,98,190,66,69,82,67,66,222,66,69,66,82,66,98,67,114,81,82,66,66,98,66,67]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":966,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365193903,"flow_dst_last_pkt_time":1578508365193933,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":698,"flow_dst_tot_l4_payload_len":623,"midstream":0,"thread_ts_usec":1578508365193933,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9603.5,"max":51634,"stddev":18821.1,"var":354234048.0,"ent":2.8,"data": [47219,47359,1594,49528,3728,51634,828,16,1020,92,14,1,37,127,71,134,135,105,102,138,138,353,12,12,16,83,45623,1100,32,46342,115]},"pktlen": {"min":66,"avg":107.9,"max":476,"stddev":97.7,"var":9536.3,"ent":4.6,"data": [78,74,66,476,66,448,66,98,67,98,190,66,69,82,67,66,222,66,69,66,82,66,98,67,114,81,82,66,66,98,66,67]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":987,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365194618,"flow_src_last_pkt_time":1578508365194618,"flow_dst_last_pkt_time":1578508365194618,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365194618,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"202.112.28.106","src_port":56655,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":987,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365194618,"flow_dst_last_pkt_time":1578508365194618,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365194618,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGkX3AqAG4ynAcat1Pdl84sWAlAAAAALAC\/\/\/nsAAAAgQFtAEDAwUBAQgKItiWswAAAAAEAgAA"}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1015,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365201994,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365201994,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGTYGwCYjRwKgBuHZf3UxCOLg9KLlL3KAScSB8NwAAAgQFrAQCCAqsVDbiItiWngEDAwc="}
@@ -239,8 +239,8 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1018,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365210541,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADYGY+sj5PqMwKgBuHZf3UovaHbWeTxErqASbgBmbgAAAgQFjAQCCAqaQodaItiWjwEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1019,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365210643,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365210643,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGWfPAqAG4I+T6jN1Kdl95PESuL2h214AQECjytwAAAQEICiLYlsKaQoda"}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1028,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365212245,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":462,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365212245,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1030,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508365008936,"flow_dst_last_pkt_time":1578508365219392,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":453,"flow_src_tot_l4_payload_len":690,"flow_dst_tot_l4_payload_len":517,"midstream":0,"thread_ts_usec":1578508365219392,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38137.1,"max":261804,"stddev":87113.6,"var":7588779008.0,"ent":2.3,"data": [261712,261804,1508,222767,73,3,23,221290,9,6,194,11,189,20,102,10,88,9,563,27,71,35,50,54,29,73,9,29,34,211443,15,0]},"pktlen": {"min":60,"avg":104.2,"max":519,"stddev":109.1,"var":11904.3,"ent":4.6,"data": [78,74,66,516,66,519,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1043,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508365009640,"flow_dst_last_pkt_time":1578508365221428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508365221428,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":38221.0,"max":263164,"stddev":87319.6,"var":7624720896.0,"ent":2.3,"data": [263094,263164,1256,221848,245,3,9,220800,8,13,125,15,115,10,130,9,138,8,711,8,50,43,2,70,7,75,9,33,11,212620,221,0]},"pktlen": {"min":60,"avg":106.1,"max":578,"stddev":117.4,"var":13788.7,"ent":4.5,"data": [78,74,66,578,66,525,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1030,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508365008936,"flow_dst_last_pkt_time":1578508365219392,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":453,"flow_src_tot_l4_payload_len":690,"flow_dst_tot_l4_payload_len":517,"midstream":0,"thread_ts_usec":1578508365219392,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38137.1,"max":261804,"stddev":87113.6,"var":7588779008.0,"ent":2.3,"data": [261712,261804,1508,222767,73,3,23,221290,9,6,194,11,189,20,102,10,88,9,563,27,71,35,50,54,29,73,9,29,34,211443,15]},"pktlen": {"min":60,"avg":104.2,"max":519,"stddev":109.1,"var":11904.3,"ent":4.6,"data": [78,74,66,516,66,519,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1043,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508365009640,"flow_dst_last_pkt_time":1578508365221428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508365221428,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":38221.0,"max":263164,"stddev":87319.6,"var":7624720896.0,"ent":2.3,"data": [263094,263164,1256,221848,245,3,9,220800,8,13,125,15,115,10,130,9,138,8,711,8,50,43,2,70,7,75,9,33,11,212620,221]},"pktlen": {"min":60,"avg":106.1,"max":578,"stddev":117.4,"var":13788.7,"ent":4.5,"data": [78,74,66,578,66,525,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1061,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365189114,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365223317,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGxFFV1mw0wKgBuHZf3U5vpmVtv4fCo6ASOJBjegAAAgQFrAQCCApls11ZItiWsAEDAwc="}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1062,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365223392,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365223392,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGtlnAqAG4VdZsNN1Odl+\/h8Kjb6ZlboAQECy6hQAAAQEICiLYls1ls11Z"}
 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1071,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365189114,"flow_src_last_pkt_time":1578508365225314,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":508,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":508,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365225314,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"85.214.108.52","src_port":56654,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
@@ -248,9 +248,9 @@
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1083,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365226088,"flow_dst_last_pkt_time":1578508365226088,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365226088,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGQk7AqAG4ikurvt1Rdl8erUWUAAAAALAC\/\/\/M9wAAAgQFtAEDAwUBAQgKItiW0AAAAAAEAgAA"}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1104,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365239758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365239758,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1104,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365239758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365239758,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGQhrAqAG4neaYV91Sdl9OT1qyAAAAALAC\/\/+H9wAAAgQFtAEDAwUBAQgKItiW2wAAAAAEAgAA"}
-01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365225822,"flow_dst_last_pkt_time":1578508365257069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":417,"flow_dst_max_l4_payload_len":327,"flow_src_tot_l4_payload_len":657,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1578508365257069,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":5636.8,"max":36541,"stddev":12197.5,"var":148778048.0,"ent":2.6,"data": [32598,32641,1212,33881,3882,36541,367,364,134,135,131,136,417,10,43,12,102,2,13,40,18,46,15,31120,114,13,120,11,562,50,11,0]},"pktlen": {"min":60,"avg":98.1,"max":483,"stddev":91.5,"var":8376.2,"ent":4.6,"data": [78,74,66,483,66,393,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01784{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1171,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365271500,"flow_dst_last_pkt_time":1578508365271455,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":332,"flow_src_tot_l4_payload_len":810,"flow_dst_tot_l4_payload_len":780,"midstream":0,"thread_ts_usec":1578508365271500,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12407.3,"max":116020,"stddev":26211.9,"var":687065472.0,"ent":2.9,"data": [25501,25603,1194,25860,91412,116020,834,13,59,13,31,24470,23554,429,12,15,16,655,121,709,21,11,5,23284,18,24097,248,344,46,20,10,0]},"pktlen": {"min":66,"avg":116.3,"max":540,"stddev":108.5,"var":11769.5,"ent":4.6,"data": [78,74,66,540,66,398,66,98,67,190,69,82,306,66,98,67,114,81,66,82,66,66,66,66,274,66,66,98,66,67,69,78]},"bins": {"c_to_s": [14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1188,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365239481,"flow_dst_last_pkt_time":1578508365271811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":492,"midstream":0,"thread_ts_usec":1578508365271811,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5575.5,"max":34994,"stddev":12229.4,"var":149558160.0,"ent":2.5,"data": [32769,32829,1344,33937,2357,34994,270,193,122,12,123,10,417,12,70,10,89,1,14,53,11,44,42,32625,14,112,124,133,12,7,92,0]},"pktlen": {"min":60,"avg":104.6,"max":597,"stddev":116.9,"var":13676.1,"ent":4.5,"data": [78,74,66,597,66,494,66,98,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365225822,"flow_dst_last_pkt_time":1578508365257069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":417,"flow_dst_max_l4_payload_len":327,"flow_src_tot_l4_payload_len":657,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1578508365257069,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":5636.8,"max":36541,"stddev":12197.5,"var":148778048.0,"ent":2.6,"data": [32598,32641,1212,33881,3882,36541,367,364,134,135,131,136,417,10,43,12,102,2,13,40,18,46,15,31120,114,13,120,11,562,50,11]},"pktlen": {"min":60,"avg":98.1,"max":483,"stddev":91.5,"var":8376.2,"ent":4.6,"data": [78,74,66,483,66,393,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01782{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1171,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365271500,"flow_dst_last_pkt_time":1578508365271455,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":332,"flow_src_tot_l4_payload_len":810,"flow_dst_tot_l4_payload_len":780,"midstream":0,"thread_ts_usec":1578508365271500,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12407.3,"max":116020,"stddev":26211.9,"var":687065472.0,"ent":2.9,"data": [25501,25603,1194,25860,91412,116020,834,13,59,13,31,24470,23554,429,12,15,16,655,121,709,21,11,5,23284,18,24097,248,344,46,20,10]},"pktlen": {"min":66,"avg":116.3,"max":540,"stddev":108.5,"var":11769.5,"ent":4.6,"data": [78,74,66,540,66,398,66,98,67,190,69,82,306,66,98,67,114,81,66,82,66,66,66,66,274,66,66,98,66,67,69,78]},"bins": {"c_to_s": [14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1188,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365239481,"flow_dst_last_pkt_time":1578508365271811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":492,"midstream":0,"thread_ts_usec":1578508365271811,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5575.5,"max":34994,"stddev":12229.4,"var":149558160.0,"ent":2.5,"data": [32769,32829,1344,33937,2357,34994,270,193,122,12,123,10,417,12,70,10,89,1,14,53,11,44,42,32625,14,112,124,133,12,7,92]},"pktlen": {"min":60,"avg":104.6,"max":597,"stddev":116.9,"var":13676.1,"ent":4.5,"data": [78,74,66,597,66,494,66,98,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1189,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365271977,"flow_dst_last_pkt_time":1578508365271977,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365271977,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1189,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365271977,"flow_dst_last_pkt_time":1578508365271977,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365271977,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGLavAqAG4M6EXDN1Udl9XVw7PAAAAALAC\/\/+2RQAAAgQFtAEDAwUBAQgKItiW9wAAAAAEAgAA"}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1195,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365279592,"flow_dst_last_pkt_time":1578508365279592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365279592,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -259,13 +259,13 @@
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1208,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365295537,"flow_dst_last_pkt_time":1578508365295537,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365295537,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGbF\/AqAG4I+XoE91Wdl\/o6wkCAAAAALAC\/\/9pGwAAAgQFtAEDAwUBAQgKItiXDAAAAAAEAgAA"}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1220,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365300081,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365300081,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365300081,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"124.217.235.180","src_port":56663,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1220,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365300081,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365300081,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGD8rAqAG4fNnrtN1Xdl9L2gYiAAAAALAC\/\/+scgAAAgQFtAEDAwUBAQgKItiXEAAAAAAEAgAA"}
-01779{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1222,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364832618,"flow_src_last_pkt_time":1578508365154217,"flow_dst_last_pkt_time":1578508365304459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":413,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":653,"flow_dst_tot_l4_payload_len":469,"midstream":0,"thread_ts_usec":1578508365304459,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"162.228.29.160","src_port":56635,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":25594.8,"max":159357,"stddev":56992.8,"var":3248178688.0,"ent":2.5,"data": [157669,157791,1578,152892,8130,159357,1177,13,61,20,78,1877,13,527,1,123,12,130,3,101,114,166,3,78,34,46,32,749,390,149661,614,0]},"pktlen": {"min":60,"avg":101.5,"max":479,"stddev":99.1,"var":9815.1,"ent":4.6,"data": [78,74,66,479,66,471,66,98,67,190,69,82,98,67,66,66,68,79,66,66,82,66,98,67,68,79,82,66,66,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1231,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508365188877,"flow_dst_last_pkt_time":1578508365309479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":490,"flow_src_tot_l4_payload_len":761,"flow_dst_tot_l4_payload_len":554,"midstream":0,"thread_ts_usec":1578508365309479,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":20402.5,"max":130950,"stddev":46194.5,"var":2133934848.0,"ent":2.4,"data": [130846,130950,1277,122765,1253,122671,155,10,149,9,88,86,123,126,124,123,256,9,49,17,28,59,7,51,29,22,20,121098,33,23,22,0]},"pktlen": {"min":60,"avg":107.0,"max":587,"stddev":122.2,"var":14931.5,"ent":4.5,"data": [78,74,66,587,66,556,66,98,67,66,66,81,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60]},"bins": {"c_to_s": [16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01777{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1222,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364832618,"flow_src_last_pkt_time":1578508365154217,"flow_dst_last_pkt_time":1578508365304459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":413,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":653,"flow_dst_tot_l4_payload_len":469,"midstream":0,"thread_ts_usec":1578508365304459,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"162.228.29.160","src_port":56635,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":25594.8,"max":159357,"stddev":56992.8,"var":3248178688.0,"ent":2.5,"data": [157669,157791,1578,152892,8130,159357,1177,13,61,20,78,1877,13,527,1,123,12,130,3,101,114,166,3,78,34,46,32,749,390,149661,614]},"pktlen": {"min":60,"avg":101.5,"max":479,"stddev":99.1,"var":9815.1,"ent":4.6,"data": [78,74,66,479,66,471,66,98,67,190,69,82,98,67,66,66,68,79,66,66,82,66,98,67,68,79,82,66,66,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1231,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508365188877,"flow_dst_last_pkt_time":1578508365309479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":490,"flow_src_tot_l4_payload_len":761,"flow_dst_tot_l4_payload_len":554,"midstream":0,"thread_ts_usec":1578508365309479,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":20402.5,"max":130950,"stddev":46194.5,"var":2133934848.0,"ent":2.4,"data": [130846,130950,1277,122765,1253,122671,155,10,149,9,88,86,123,126,124,123,256,9,49,17,28,59,7,51,29,22,20,121098,33,23,22]},"pktlen": {"min":60,"avg":107.0,"max":587,"stddev":122.2,"var":14931.5,"ent":4.5,"data": [78,74,66,587,66,556,66,98,67,66,66,81,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60]},"bins": {"c_to_s": [16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00700{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1239,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365315790,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":192,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":192,"pkt_l4_len":158,"thread_ts_usec":1578508365315790,"pkt":"KDc3AG3IEBMx8Tl2CABFAACymwlAACMRP1cS26efwKgBuHZfdl8AnsFrVj4puAH6ZgARKbHJmno0oUTDSx6ME3WyQvgYFdLFf82IMxF0n+9n2kTCv9WKp0W5OWAeoQIHesUQlOhBZUox8XuUKjSw2r\/cLxIh6clEUwjRudwx4mptlXU2a3WMaDxBAALzy4RPFs69gun3gnZfoAez3OWZbA2U21K6mmqEcXi9Zewq23MX\/wTlxWTRncmbhF4WIGEK"}
 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1240,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365315825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365315825,"pkt":"KDc3AG3IEBMx8Tl2CABFAACcmwpAACMRP2wS26efwKgBuHZfdl8AiLphceZOwZGufNXFAvXWI774ooc6PkwC6kxvzCm0BhiTs\/TWig3gE4P3+Y0lY\/Fll4rTUKnacLSuqKdSUAk7eTbz218E2dS8j3sLMJigll9ziTSt7jKgE6R7GxELpoJhO+ReAQHdBMuEEtunn4J2X4J2X8mETxbOvYLp94CEXhYgYQo="}
-01777{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365327684,"flow_dst_last_pkt_time":1578508365329449,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":442,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1578508365329449,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11280.5,"max":57129,"stddev":22219.5,"var":493705824.0,"ent":2.8,"data": [56823,56925,1602,56390,2342,57129,531,462,124,8,117,8,162,10,51,23,20,1132,926,430,2,33,26,92,56511,32,22,55939,9,1784,32,0]},"pktlen": {"min":66,"avg":114.4,"max":528,"stddev":109.7,"var":12030.8,"ent":4.6,"data": [78,74,66,528,66,508,66,98,66,209,67,66,66,98,67,190,69,82,82,66,98,67,114,81,82,66,98,148,66,66,96,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01777{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1264,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523182,"flow_src_last_pkt_time":1578508365078877,"flow_dst_last_pkt_time":1578508365330913,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":382,"midstream":0,"thread_ts_usec":1578508365330913,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.108.67","src_port":56622,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":43981.5,"max":300415,"stddev":100376.1,"var":10075352064.0,"ent":2.3,"data": [300373,300415,1705,253379,743,11,252408,10,126,124,122,12,120,7,112,11,115,13,362,33,90,11,17,64,29,59,24,45,44,252812,30,0]},"pktlen": {"min":60,"avg":102.3,"max":597,"stddev":106.2,"var":11275.5,"ent":4.6,"data": [78,74,66,597,66,384,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01780{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1282,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523185,"flow_src_last_pkt_time":1578508365096272,"flow_dst_last_pkt_time":1578508365350710,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":471,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":711,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508365350710,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.81.28","src_port":56623,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":45181.0,"max":308079,"stddev":102626.0,"var":10532101120.0,"ent":2.4,"data": [308002,308079,2079,260252,1619,259755,495,482,122,10,122,8,118,9,119,17,140,15,66,21,45,75,23,49,39,20,18,2347,1915,254515,36,0]},"pktlen": {"min":60,"avg":103.8,"max":537,"stddev":108.1,"var":11684.8,"ent":4.6,"data": [78,74,66,537,66,488,66,98,66,67,68,66,66,79,82,66,66,98,67,190,69,82,98,67,68,79,82,66,66,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365327684,"flow_dst_last_pkt_time":1578508365329449,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":442,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1578508365329449,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11280.5,"max":57129,"stddev":22219.5,"var":493705824.0,"ent":2.8,"data": [56823,56925,1602,56390,2342,57129,531,462,124,8,117,8,162,10,51,23,20,1132,926,430,2,33,26,92,56511,32,22,55939,9,1784,32]},"pktlen": {"min":66,"avg":114.4,"max":528,"stddev":109.7,"var":12030.8,"ent":4.6,"data": [78,74,66,528,66,508,66,98,66,209,67,66,66,98,67,190,69,82,82,66,98,67,114,81,82,66,98,148,66,66,96,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1264,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523182,"flow_src_last_pkt_time":1578508365078877,"flow_dst_last_pkt_time":1578508365330913,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":382,"midstream":0,"thread_ts_usec":1578508365330913,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.108.67","src_port":56622,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":43981.5,"max":300415,"stddev":100376.1,"var":10075352064.0,"ent":2.3,"data": [300373,300415,1705,253379,743,11,252408,10,126,124,122,12,120,7,112,11,115,13,362,33,90,11,17,64,29,59,24,45,44,252812,30]},"pktlen": {"min":60,"avg":102.3,"max":597,"stddev":106.2,"var":11275.5,"ent":4.6,"data": [78,74,66,597,66,384,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1282,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523185,"flow_src_last_pkt_time":1578508365096272,"flow_dst_last_pkt_time":1578508365350710,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":471,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":711,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508365350710,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.81.28","src_port":56623,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":45181.0,"max":308079,"stddev":102626.0,"var":10532101120.0,"ent":2.4,"data": [308002,308079,2079,260252,1619,259755,495,482,122,10,122,8,118,9,119,17,140,15,66,21,45,75,23,49,39,20,18,2347,1915,254515,36]},"pktlen": {"min":60,"avg":103.8,"max":537,"stddev":108.1,"var":11684.8,"ent":4.6,"data": [78,74,66,537,66,488,66,98,66,67,68,66,66,79,82,66,66,98,67,190,69,82,98,67,68,79,82,66,66,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365408726,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":129,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365408726,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1578508365408726,"pkt":"KDc3AG3IEBMx8Tl2CABFAACdhY9AAC4RWjq3gfKkwKgBuAQAdl8AiS5Y3VkKujBE9K5giYMoNotbt65xxd7ko3VSXKgTCSaupxKnp71rmT0XRsX6xoF5macEurqmdfib0\/9m0ybRIVy\/Qzz+\/\/zwyKtEHKyC9Xjjwvc8TLpzNetXjDWFS0pbC\/Z0AQHeBcuErBRsfYJ2X4J2X8uETxbOvYLp94J2X4ReFiBh"}
 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365408726,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":129,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365408726,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
@@ -277,7 +277,7 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1321,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365419060,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADAGUh6d5phXwKgBuHZf3VIVkuQhTk9as6AScSDAlwAAAgQFrAQCCAq827CpItiW2wEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1322,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365419127,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365419127,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGQibAqAG4neaYV91Sdl9OT1qzFZLkIoAQECxPsAAAAQEICiLYl3u827Cp"}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1323,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365420924,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":583,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365420924,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1325,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522826,"flow_src_last_pkt_time":1578508365153717,"flow_dst_last_pkt_time":1578508365439333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":574,"flow_dst_max_l4_payload_len":396,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":460,"midstream":0,"thread_ts_usec":1578508365439333,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"165.22.107.33","src_port":56610,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":49916.1,"max":339297,"stddev":113624.6,"var":12910541824.0,"ent":2.4,"data": [339196,339297,1296,287250,2535,288430,1006,11,1005,14,2,8,122,6,111,4,2,12,35,118,61,115,34,101,31,26,56,616,251,285614,33,0]},"pktlen": {"min":60,"avg":106.1,"max":640,"stddev":119.2,"var":14212.1,"ent":4.5,"data": [78,74,66,640,66,462,66,98,67,66,66,98,67,68,79,190,66,69,66,82,82,66,98,67,68,79,82,66,66,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1325,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522826,"flow_src_last_pkt_time":1578508365153717,"flow_dst_last_pkt_time":1578508365439333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":574,"flow_dst_max_l4_payload_len":396,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":460,"midstream":0,"thread_ts_usec":1578508365439333,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"165.22.107.33","src_port":56610,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":49916.1,"max":339297,"stddev":113624.6,"var":12910541824.0,"ent":2.4,"data": [339196,339297,1296,287250,2535,288430,1006,11,1005,14,2,8,122,6,111,4,2,12,35,118,61,115,34,101,31,26,56,616,251,285614,33]},"pktlen": {"min":60,"avg":106.1,"max":640,"stddev":119.2,"var":14212.1,"ent":4.5,"data": [78,74,66,640,66,462,66,98,67,66,66,98,67,68,79,190,66,69,66,82,82,66,98,67,68,79,82,66,66,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1339,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365279592,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365458807,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwG2AY0CYBEwKgBuHZf3VXR7JfX7e3rXKASaN9TlwAAAgQFrAQCCAqDIEEYItiW\/gEDAwc="}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1340,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365458850,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365458850,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGxBbAqAG4NAmARN1Vdl\/t7etc0eyX2IAQECzabQAAAQEICiLYl5+DIEEY"}
 00984{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1341,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365460380,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":472,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365460380,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
@@ -290,7 +290,7 @@
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1346,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365226088,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365485758,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC0GVVKKS6u+wKgBuHZf3VEGdfqIHq1FlaAS\/og\/VgAAAgQFrAQCCAqkAfsSItiW0AEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1347,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365485867,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365485867,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGQlrAqAG4ikurvt1Rdl8erUWVBnX6iYAQECxbjgAAAQEICiLYl7mkAfsS"}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1348,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365487180,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":539,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365487180,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01782{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1350,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508365197191,"flow_dst_last_pkt_time":1578508365510722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":451,"flow_src_tot_l4_payload_len":765,"flow_dst_tot_l4_payload_len":515,"midstream":0,"thread_ts_usec":1578508365510722,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":53600.7,"max":354597,"stddev":122026.8,"var":14890529792.0,"ent":2.4,"data": [354503,354597,1517,316901,1340,316735,173,101,119,114,122,127,128,12,120,9,115,122,283,10,68,11,22,44,44,48,7,18,49,313859,305,0]},"pktlen": {"min":60,"avg":106.4,"max":591,"stddev":118.1,"var":13953.7,"ent":4.5,"data": [78,74,66,591,66,517,66,98,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01780{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1350,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508365197191,"flow_dst_last_pkt_time":1578508365510722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":451,"flow_src_tot_l4_payload_len":765,"flow_dst_tot_l4_payload_len":515,"midstream":0,"thread_ts_usec":1578508365510722,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":53600.7,"max":354597,"stddev":122026.8,"var":14890529792.0,"ent":2.4,"data": [354503,354597,1517,316901,1340,316735,173,101,119,114,122,127,128,12,120,9,115,122,283,10,68,11,22,44,44,48,7,18,49,313859,305]},"pktlen": {"min":60,"avg":106.4,"max":591,"stddev":118.1,"var":13953.7,"ent":4.5,"data": [78,74,66,591,66,517,66,98,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365567882,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365567882,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365567882,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcHIoAAEARCbPAqAG4agwnqHZfdn0AiGszdDnl2LgHwUzwnp\/NUaAjl2\/6ukAyoGtKBC9U9NcJJ2SSjY1bIBQONPG3UmfcMXvTBTN6oZMu6GXIBxr9UadDckfonN6CsHl3H7EBI7wV8mnDuf+AbUa\/i02tPDo+DL09AAHdBMuEfwAAAYJ2X4J2X8mEagwnqIJ2fYCEXhYgYQU="}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365567882,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365567882,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
@@ -314,13 +314,13 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1463,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365688431,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwGI8Z82eu0wKgBuHZf3VfxiPe9S9oGI6AScSAoCwAAAgQFrAQCCArI+HIBItiXEAEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1464,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365688547,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365688547,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGD9bAqAG4fNnrtN1Xdl9L2gYj8Yj3voAQECy2XAAAAQEICiLYmHfI+HIB"}
 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1465,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365300081,"flow_src_last_pkt_time":1578508365690049,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":545,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":545,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365690049,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"124.217.235.180","src_port":56663,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1470,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365699150,"flow_dst_last_pkt_time":1578508365699343,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":573,"flow_dst_max_l4_payload_len":421,"flow_src_tot_l4_payload_len":861,"flow_dst_tot_l4_payload_len":662,"midstream":0,"thread_ts_usec":1578508365699343,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27565.8,"max":147323,"stddev":54220.4,"var":2939852800.0,"ent":2.8,"data": [139345,139431,1667,141731,7248,147323,778,15,57,13,65,6714,5782,300,242,748,13,7,750,26,2,438,13,27,43,49,129951,188,824,130452,297,0]},"pktlen": {"min":66,"avg":114.2,"max":639,"stddev":122.1,"var":14898.1,"ent":4.5,"data": [78,74,66,639,66,487,66,98,67,190,69,82,98,66,67,66,216,75,82,66,66,66,98,67,114,81,82,66,66,98,66,67]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01784{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1470,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365699150,"flow_dst_last_pkt_time":1578508365699343,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":573,"flow_dst_max_l4_payload_len":421,"flow_src_tot_l4_payload_len":861,"flow_dst_tot_l4_payload_len":662,"midstream":0,"thread_ts_usec":1578508365699343,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27565.8,"max":147323,"stddev":54220.4,"var":2939852800.0,"ent":2.8,"data": [139345,139431,1667,141731,7248,147323,778,15,57,13,65,6714,5782,300,242,748,13,7,750,26,2,438,13,27,43,49,129951,188,824,130452,297]},"pktlen": {"min":66,"avg":114.2,"max":639,"stddev":122.1,"var":14898.1,"ent":4.5,"data": [78,74,66,639,66,487,66,98,67,190,69,82,98,66,67,66,216,75,82,66,66,66,98,67,114,81,82,66,66,98,66,67]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1484,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365701530,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365701530,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1484,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365701530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365701530,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG7OLAqAG4i6L\/0t1gdl\/B\/P6FAAAAALAC\/\/8ZigAAAgQFtAEDAwUBAQgKItiYggAAAAAEAgAA"}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1517,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508365712625,"flow_dst_last_pkt_time":1578508365712625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365712625,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1517,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365712625,"flow_dst_last_pkt_time":1578508365712625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365712625,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGlo3AqAG4Ti+Tm91hdl8xKZuYAAAAALAC\/\/+26gAAAgQFtAEDAwUBAQgKItiYjAAAAAAEAgAA"}
 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1521,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365736342,"flow_dst_last_pkt_time":1578508364732443,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"thread_ts_usec":1578508365736342,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHpIMAAEARoqnAqAG4b+UAtHZfTtYAsxSK2l5Lj\/FNPSwNskN7KXHg69sINFX5NaCleeEwgXwmONn61xupKUye1QOfHD1DMyDw8Rv4bxSGME4AJ9XC7q+0Pwz+NqNAUtNYGL1TDF+F5wROIhyoide5OcgIFnuRD6baAQP4R7hAggEUSZWpWZm0YK3HCqZiBR7sHJ3wp8USPzyX73HGoWVqts4UjRd8TfDxZuCIPe7jI\/CXMWJB7l7pTCCyfJvg8YReFiBh"}
-01777{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1532,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":62,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1578508365592330,"flow_src_last_pkt_time":1578508365741203,"flow_dst_last_pkt_time":1578508365740945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":364,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":812,"midstream":0,"thread_ts_usec":1578508365741203,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"86.107.243.62","src_port":56671,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":9596.4,"max":39189,"stddev":16023.4,"var":256750832.0,"ent":3.1,"data": [39074,39189,1465,38437,362,37288,763,13,47,10,88,39176,38284,307,256,561,11,34,20,89,30734,30582,269,187,28,20,37,34,54,6,63,0]},"pktlen": {"min":66,"avg":121.0,"max":606,"stddev":118.7,"var":14100.3,"ent":4.6,"data": [78,74,66,606,66,430,66,98,67,190,69,82,306,66,66,66,98,67,114,81,82,274,66,66,98,67,69,78,82,98,67,70]},"bins": {"c_to_s": [17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1532,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":62,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1578508365592330,"flow_src_last_pkt_time":1578508365741203,"flow_dst_last_pkt_time":1578508365740945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":364,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":812,"midstream":0,"thread_ts_usec":1578508365741203,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"86.107.243.62","src_port":56671,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":9596.4,"max":39189,"stddev":16023.4,"var":256750832.0,"ent":3.1,"data": [39074,39189,1465,38437,362,37288,763,13,47,10,88,39176,38284,307,256,561,11,34,20,89,30734,30582,269,187,28,20,37,34,54,6,63]},"pktlen": {"min":66,"avg":121.0,"max":606,"stddev":118.7,"var":14100.3,"ent":4.6,"data": [78,74,66,606,66,430,66,98,67,190,69,82,306,66,66,66,98,67,114,81,82,274,66,66,98,67,69,78,82,98,67,70]},"bins": {"c_to_s": [17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1536,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365741903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365741903,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1536,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365741903,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365741903,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG4nHAqAG4XkQ3ot1idl9YCAHzAAAAALAC\/\/91dwAAAgQFtAEDAwUBAQgKItiYqQAAAAAEAgAA"}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1539,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365742943,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365742943,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIG+uaLov\/SwKgBuHZf3WDeocLiwfz+hqAS\/ogDJwAAAgQFrAQCCArjm6OzItiYggEDAwc="}
@@ -335,16 +335,16 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1582,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":66,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365777046,"flow_dst_last_pkt_time":1578508365776923,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365777046,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGLqHAqAG4I+sl2N1jdl9d8bOcqknE0YAQECyPmwAAAQEICiLYmMg1IQWk"}
 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365751805,"flow_src_last_pkt_time":1578508365778282,"flow_dst_last_pkt_time":1578508365776923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":530,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365778282,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.235.37.216","src_port":56675,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1586,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365781990,"flow_dst_last_pkt_time":1578508364776411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"thread_ts_usec":1578508365781990,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHjqoAAEARyLjAqAG40WGPAXZfw1AAs7BF2l5Lj\/FNPSwNskN7KXHg69sINFX5NaCleeEwgXwmONn61xupKUye1QOfHD1DMyDw8Rv4bxSGME4AJ9XC7q+0Pwz+NqNAUtNYGL1TDF+F5wROIhyoide5OcgIFnuRD6baAQP4R7hAggEUSZWpWZm0YK3HCqZiBR7sHJ3wp8USPzyX73HGoWVqts4UjRd8TfDxZuCIPe7jI\/CXMWJB7l7pTCCyfJvg8YReFiBh"}
-01785{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1589,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365782730,"flow_dst_last_pkt_time":1578508365782698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":391,"flow_src_tot_l4_payload_len":871,"flow_dst_tot_l4_payload_len":648,"midstream":0,"thread_ts_usec":1578508365782730,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":35029.4,"max":184362,"stddev":71024.3,"var":5044451840.0,"ent":2.6,"data": [179302,179369,1797,184362,177,182759,106,62,111,97,367,12,367,8,114,117,157,11,64,17,19,306,10,10,14,156,176481,904,995,9,177632,0]},"pktlen": {"min":66,"avg":114.1,"max":649,"stddev":121.0,"var":14650.9,"ent":4.5,"data": [78,74,66,649,66,457,66,98,66,67,66,227,80,66,66,82,66,98,67,190,69,82,98,67,125,70,82,66,66,98,67,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01783{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1589,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365782730,"flow_dst_last_pkt_time":1578508365782698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":391,"flow_src_tot_l4_payload_len":871,"flow_dst_tot_l4_payload_len":648,"midstream":0,"thread_ts_usec":1578508365782730,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":35029.4,"max":184362,"stddev":71024.3,"var":5044451840.0,"ent":2.6,"data": [179302,179369,1797,184362,177,182759,106,62,111,97,367,12,367,8,114,117,157,11,64,17,19,306,10,10,14,156,176481,904,995,9,177632]},"pktlen": {"min":66,"avg":114.1,"max":649,"stddev":121.0,"var":14650.9,"ent":4.5,"data": [78,74,66,649,66,457,66,98,66,67,66,227,80,66,66,82,66,98,67,190,69,82,98,67,125,70,82,66,66,98,67,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365813172,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADAG8nVeRDeiwKgBuHZf3WKbomHRWAgB9KAScSDEJQAAAgQFrAQCCAppF+qfItiYqQEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1646,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365813279,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365813279,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG4n3AqAG4XkQ3ot1idl9YCAH0m6Jh0oAQECxToAAAAQEICiLYmOdpF+qf"}
 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1647,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365814591,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365814591,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1664,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365828265,"flow_src_last_pkt_time":1578508365828265,"flow_dst_last_pkt_time":1578508365828265,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365828265,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.251.14.199","src_port":56678,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1664,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365828265,"flow_dst_last_pkt_time":1578508365828265,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365828265,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGW5bAqAG4DfsOx91mdl9PCwRhAAAAALAC\/\/\/02wAAAgQFtAEDAwUBAQgKItiY9AAAAAAEAgAA"}
-01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1665,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365787932,"flow_dst_last_pkt_time":1578508365828317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":356,"flow_src_tot_l4_payload_len":626,"flow_dst_tot_l4_payload_len":420,"midstream":0,"thread_ts_usec":1578508365828317,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":6877.1,"max":42383,"stddev":15108.4,"var":228262896.0,"ent":2.6,"data": [41413,41460,1312,42383,1046,42119,204,192,363,356,369,368,205,23,58,13,64,62,24,80,8,25,33,39148,1363,11,132,116,14,104,121,0]},"pktlen": {"min":60,"avg":98.0,"max":452,"stddev":90.7,"var":8221.2,"ent":4.6,"data": [78,74,66,452,66,422,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1665,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365787932,"flow_dst_last_pkt_time":1578508365828317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":356,"flow_src_tot_l4_payload_len":626,"flow_dst_tot_l4_payload_len":420,"midstream":0,"thread_ts_usec":1578508365828317,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":6877.1,"max":42383,"stddev":15108.4,"var":228262896.0,"ent":2.6,"data": [41413,41460,1312,42383,1046,42119,204,192,363,356,369,368,205,23,58,13,64,62,24,80,8,25,33,39148,1363,11,132,116,14,104,121]},"pktlen": {"min":60,"avg":98.0,"max":452,"stddev":90.7,"var":8221.2,"ent":4.6,"data": [78,74,66,452,66,422,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1691,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":68,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365846680,"flow_src_last_pkt_time":1578508365846680,"flow_dst_last_pkt_time":1578508365846680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365846680,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.158.52","src_port":56679,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1691,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":68,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365846680,"flow_dst_last_pkt_time":1578508365846680,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365846680,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGtj\/AqAG4I+SeNN1ndl9FuX9aAAAAALAC\/\/\/dzAAAAgQFtAEDAwUBAQgKItiZBAAAAAAEAgAA"}
-01788{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1700,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365851788,"flow_dst_last_pkt_time":1578508365851734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":760,"flow_dst_tot_l4_payload_len":764,"midstream":0,"thread_ts_usec":1578508365851788,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":36914.1,"max":194120,"stddev":74421.4,"var":5538540544.0,"ent":2.7,"data": [179215,179258,1530,193512,372,17,192344,9,225,230,714,12,52,18,61,2845,2062,406,9,21,19,104,193755,151,777,194120,128,66,1119,26,1161,0]},"pktlen": {"min":66,"avg":114.2,"max":538,"stddev":109.0,"var":11872.9,"ent":4.6,"data": [78,74,66,538,66,494,98,66,66,198,66,98,67,190,69,82,94,66,98,67,114,81,82,66,66,98,66,147,66,97,66,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1700,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365851788,"flow_dst_last_pkt_time":1578508365851734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":760,"flow_dst_tot_l4_payload_len":764,"midstream":0,"thread_ts_usec":1578508365851788,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":36914.1,"max":194120,"stddev":74421.4,"var":5538540544.0,"ent":2.7,"data": [179215,179258,1530,193512,372,17,192344,9,225,230,714,12,52,18,61,2845,2062,406,9,21,19,104,193755,151,777,194120,128,66,1119,26,1161]},"pktlen": {"min":66,"avg":114.2,"max":538,"stddev":109.0,"var":11872.9,"ent":4.6,"data": [78,74,66,538,66,494,98,66,66,198,66,98,67,190,69,82,94,66,98,67,114,81,82,66,66,98,66,147,66,97,66,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1710,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365852452,"flow_src_last_pkt_time":1578508365852452,"flow_dst_last_pkt_time":1578508365852452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365852452,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.59.17.58","src_port":56680,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1710,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365852452,"flow_dst_last_pkt_time":1578508365852452,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365852452,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG3OLAqAG4ijsROt1odl\/ttHvbAAAAALAC\/\/9f7QAAAgQFtAEDAwUBAQgKItiZCQAAAAAEAgAA"}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1750,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365885366,"flow_src_last_pkt_time":1578508365885366,"flow_dst_last_pkt_time":1578508365885366,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365885366,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"207.180.206.216","src_port":56681,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -360,10 +360,10 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1776,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365926010,"flow_dst_last_pkt_time":1578508365925923,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365926010,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG2dbAqAG4z7TO2N1pdl+dzwtnJw8AtoAQECw5oAAAAQEICiLYmUxcfI6d"}
 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1777,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365885366,"flow_src_last_pkt_time":1578508365927412,"flow_dst_last_pkt_time":1578508365925923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365927412,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"207.180.206.216","src_port":56681,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00695{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1780,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":71,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365919739,"flow_dst_last_pkt_time":1578508365951357,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":189,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":189,"pkt_l4_len":155,"thread_ts_usec":1578508365951357,"pkt":"KDc3AG3IEBMx8Tl2CABFAACvrTpAADMRthqnVnoywKgBuHZfdl8AmyGXAff4avCCJKd8iLkYnGp5WBGcR5kwKjaGYfuGK7O5Pxha3PZrVargsE3sp+V969kCE0ZShXRyP212X0\/ogX+KLxU0BMrg9yur0MCSn4OC+hF8e78p1SovnEhcJv1j5UvsAALwyYSnVnoygnZfgKByZEv+wn4eYEUXuf5R8Qoku8N0GB0rNIQImrGkxu4BYoReFiBh"}
-01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1796,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365961141,"flow_dst_last_pkt_time":1578508365961206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":504,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":840,"midstream":0,"thread_ts_usec":1578508365961206,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14146.5,"max":75129,"stddev":28349.9,"var":803714368.0,"ent":2.7,"data": [71269,71376,1312,75129,983,32,74778,28,135,90,486,477,192,27,65,15,66,252,9,12,16,87,69614,777,19,69699,729,15,730,7,115,0]},"pktlen": {"min":66,"avg":119.0,"max":613,"stddev":126.8,"var":16079.3,"ent":4.5,"data": [78,74,66,613,66,570,98,66,66,209,66,83,66,98,67,190,69,82,98,67,114,81,82,66,66,98,66,148,96,66,66,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1796,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365961141,"flow_dst_last_pkt_time":1578508365961206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":504,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":840,"midstream":0,"thread_ts_usec":1578508365961206,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14146.5,"max":75129,"stddev":28349.9,"var":803714368.0,"ent":2.7,"data": [71269,71376,1312,75129,983,32,74778,28,135,90,486,477,192,27,65,15,66,252,9,12,16,87,69614,777,19,69699,729,15,730,7,115]},"pktlen": {"min":66,"avg":119.0,"max":613,"stddev":126.8,"var":16079.3,"ent":4.5,"data": [78,74,66,613,66,570,98,66,66,209,66,83,66,98,67,190,69,82,98,67,114,81,82,66,66,98,66,148,96,66,66,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1835,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508366005550,"flow_src_last_pkt_time":1578508366005550,"flow_dst_last_pkt_time":1578508366005550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366005550,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.83.237.44","src_port":56684,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1835,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":72,"flow_packet_id":1,"flow_src_last_pkt_time":1578508366005550,"flow_dst_last_pkt_time":1578508366005550,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366005550,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGV9jAqAG4M1PtLN1sdl8dp4x2AAAAALAC\/\/+ZwwAAAgQFtAEDAwUBAQgKItiZlwAAAAAEAgAA"}
-01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1847,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366012044,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":42302.9,"max":263115,"stddev":95827.5,"var":9182917632.0,"ent":2.4,"data": [259670,259779,1313,261414,3049,263115,462,422,253,247,161,10,63,22,41,100,13,84,18,22,24,260103,45,20,93,122,13,668,28,8,8,0]},"pktlen": {"min":60,"avg":105.4,"max":605,"stddev":121.5,"var":14755.2,"ent":4.5,"data": [78,74,66,605,66,525,66,98,66,98,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1847,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366012044,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":42302.9,"max":263115,"stddev":95827.5,"var":9182917632.0,"ent":2.4,"data": [259670,259779,1313,261414,3049,263115,462,422,253,247,161,10,63,22,41,100,13,84,18,22,24,260103,45,20,93,122,13,668,28,8,8]},"pktlen": {"min":60,"avg":105.4,"max":605,"stddev":121.5,"var":14755.2,"ent":4.5,"data": [78,74,66,605,66,525,66,98,66,98,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1857,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508366020357,"flow_src_last_pkt_time":1578508366020357,"flow_dst_last_pkt_time":1578508366020357,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366020357,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"88.99.93.219","src_port":56685,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1857,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":1,"flow_src_last_pkt_time":1578508366020357,"flow_dst_last_pkt_time":1578508366020357,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366020357,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGwhnAqAG4WGNd291tdl+CSdQcAAAAALAC\/\/9XrgAAAgQFtAEDAwUBAQgKItiZpAAAAAAEAgAA"}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1862,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_src_last_pkt_time":1578508366029471,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366029471,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGjuvAqAG4I+nFg909dl+ptEcpAAAAALAC\/\/+KMAAAAgQFtAEDAwUBAQgKItiZrAAAAAAEAgAA"}
@@ -384,7 +384,7 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1968,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":2,"flow_src_last_pkt_time":1578508366073881,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508366117663,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGSnvOvWsjwKgBuHZf3W6FBUsAADkpP6AScSCofQAAAgQFrAQCCApn2sBGItiZ0wEDAwc="}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1969,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":3,"flow_src_last_pkt_time":1578508366117769,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508366117769,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGPoPAqAG4zr1rI91udl8AOSk\/hQVLAYAQECw4DwAAAQEICiLYmfpn2sBG"}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1970,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508366073881,"flow_src_last_pkt_time":1578508366119559,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":407,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":407,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366119559,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"206.189.107.35","src_port":56686,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01793{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1983,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508366123630,"flow_dst_last_pkt_time":1578508366123331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":567,"flow_dst_max_l4_payload_len":347,"flow_src_tot_l4_payload_len":951,"flow_dst_tot_l4_payload_len":859,"midstream":0,"thread_ts_usec":1578508366123630,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":26506.8,"max":285939,"stddev":65286.3,"var":4262303488.0,"ent":2.6,"data": [40373,40438,1542,40906,246535,285939,40615,40605,699,30,144,12,23,360,16,18,29,110,39411,235,883,650,39691,157,36,21,17,63,1098,839,216,0]},"pktlen": {"min":66,"avg":123.6,"max":633,"stddev":120.4,"var":14503.6,"ent":4.6,"data": [78,74,66,633,66,306,78,413,66,98,67,190,69,82,98,67,114,81,82,66,66,66,130,66,98,67,69,78,82,274,66,98]},"bins": {"c_to_s": [16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01791{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1983,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508366123630,"flow_dst_last_pkt_time":1578508366123331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":567,"flow_dst_max_l4_payload_len":347,"flow_src_tot_l4_payload_len":951,"flow_dst_tot_l4_payload_len":859,"midstream":0,"thread_ts_usec":1578508366123630,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":26506.8,"max":285939,"stddev":65286.3,"var":4262303488.0,"ent":2.6,"data": [40373,40438,1542,40906,246535,285939,40615,40605,699,30,144,12,23,360,16,18,29,110,39411,235,883,650,39691,157,36,21,17,63,1098,839,216]},"pktlen": {"min":66,"avg":123.6,"max":633,"stddev":120.4,"var":14503.6,"ent":4.6,"data": [78,74,66,633,66,306,78,413,66,98,67,190,69,82,98,67,114,81,82,66,66,66,130,66,98,67,69,78,82,274,66,98]},"bins": {"c_to_s": [16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":16,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012064,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 01024{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365852452,"flow_src_last_pkt_time":1578508366055031,"flow_dst_last_pkt_time":1578508366053699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":447,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":447,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.59.17.58","src_port":56680,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":27,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365195126,"flow_dst_last_pkt_time":1578508365241563,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":798,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
@@ -471,8 +471,8 @@
 ~~ total active/idle flows...: 74/74
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6220777 bytes
-~~ total memory freed........: 6220777 bytes
+~~ total memory allocated....: 6220481 bytes
+~~ total memory freed........: 6220481 bytes
 ~~ total allocations/frees...: 124221/124221
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/ethernetIP.pcap.out b/test/results/ethernetIP.pcap.out
index 32354613f..b3f60fc8a 100644
--- a/test/results/ethernetIP.pcap.out
+++ b/test/results/ethernetIP.pcap.out
@@ -33,8 +33,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043429 bytes
-~~ total memory freed........: 6043429 bytes
+~~ total memory allocated....: 6043413 bytes
+~~ total memory freed........: 6043413 bytes
 ~~ total allocations/frees...: 121617/121617
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/exe_download.pcap.out b/test/results/exe_download.pcap.out
index e17c08177..2f9ab5516 100644
--- a/test/results/exe_download.pcap.out
+++ b/test/results/exe_download.pcap.out
@@ -6,7 +6,7 @@
 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569434051324323,"flow_dst_last_pkt_time":1569434051324116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1569434051324323,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoALJAAIAGAJIKCRllkFtFw8ANAFC+hvgfPu\/YuVAQ+vAsqgAA"}
 01243{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051324979,"flow_dst_last_pkt_time":1569434051324116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569434051324979,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"144.91.69.195","http": {"url":"144.91.69.195\/solar.php","code":0,"content_type":"","user_agent":"pwtyyEKzNtGatwnJjmCcBLbOveCVpc"}}}
 01398{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051324979,"flow_dst_last_pkt_time":1569434051623372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1569434051623372,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"144.91.69.195","http": {"url":"144.91.69.195\/solar.php","code":200,"content_type":"application\/octet-stream","user_agent":"pwtyyEKzNtGatwnJjmCcBLbOveCVpc"}}}
-02069{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051966172,"flow_dst_last_pkt_time":1569434051966041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":25896,"midstream":0,"thread_ts_usec":1569434051966172,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":62020.0,"max":319527,"stddev":115050.4,"var":13236601856.0,"ent":3.0,"data": [319320,319527,656,1120,298136,10,298579,1555,147,1842,2428,2695,9,4969,246,28639,114,28917,100748,305805,34,11,94,205204,207,207,651,10,7,7,727,0]},"pktlen": {"min":54,"avg":868.5,"max":1514,"stddev":668.4,"var":446708.3,"ent":4.4,"data": [66,58,54,207,54,1514,1322,54,1418,1418,54,1418,1514,1302,54,1418,1418,1418,54,54,1514,1514,1226,1418,54,1418,54,1514,1514,1514,1130,54]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
+02067{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051966172,"flow_dst_last_pkt_time":1569434051966041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":25896,"midstream":0,"thread_ts_usec":1569434051966172,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":62020.0,"max":319527,"stddev":115050.4,"var":13236601856.0,"ent":3.0,"data": [319320,319527,656,1120,298136,10,298579,1555,147,1842,2428,2695,9,4969,246,28639,114,28917,100748,305805,34,11,94,205204,207,207,651,10,7,7,727]},"pktlen": {"min":54,"avg":868.5,"max":1514,"stddev":668.4,"var":446708.3,"ent":4.4,"data": [66,58,54,207,54,1514,1322,54,1418,1418,54,1418,1514,1302,54,1418,1418,1418,54,54,1514,1514,1226,1418,54,1418,54,1514,1514,1514,1130,54]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 01266{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":703,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":203,"flow_dst_packets_processed":500,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434056186340,"flow_dst_last_pkt_time":1569434056096541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":679332,"midstream":0,"thread_ts_usec":1569434056186340,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00569{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":703,"source":"exe_download.pcap","alias":"nDPId-test","packets-captured":703,"packets-processed":703,"total-skipped-flows":0,"total-l4-payload-len":679485,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1569434056186340}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6056199 bytes
-~~ total memory freed........: 6056199 bytes
+~~ total memory allocated....: 6056195 bytes
+~~ total memory freed........: 6056195 bytes
 ~~ total allocations/frees...: 122196/122196
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
-~~ json string max len.......: 2074 chars
-~~ json string avg len.......: 1230 chars
+~~ json string max len.......: 2072 chars
+~~ json string avg len.......: 1229 chars
diff --git a/test/results/exe_download_as_png.pcap.out b/test/results/exe_download_as_png.pcap.out
index e7359632c..2ad048210 100644
--- a/test/results/exe_download_as_png.pcap.out
+++ b/test/results/exe_download_as_png.pcap.out
@@ -6,7 +6,7 @@
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569434903440784,"flow_dst_last_pkt_time":1569434903440451,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1569434903440784,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoBlJAAIAGv\/QKCRlluWJXucAtAFB7PMGXLy4K1lAQ+vBJBAAA"}
 01126{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434903441012,"flow_dst_last_pkt_time":1569434903440451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569434903441012,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"185.98.87.185","http": {"url":"185.98.87.185\/tablone.png","code":0,"content_type":"","user_agent":"WinHTTP loader\/1.0"}}}
 01261{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434903441012,"flow_dst_last_pkt_time":1569434904053845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1569434904053845,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"185.98.87.185","http": {"url":"185.98.87.185\/tablone.png","code":200,"content_type":"image\/png","user_agent":"WinHTTP loader\/1.0"}}}
-01963{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434904481632,"flow_dst_last_pkt_time":1569434904508320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":25916,"midstream":0,"thread_ts_usec":1569434904508320,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":93850.2,"max":613012,"stddev":192589.9,"var":37090865152.0,"ent":2.7,"data": [400153,400486,228,717,612677,12,613012,424,482,834,426,507,936,1134,423,1552,361,732,1082,417726,1390,103,419479,654,405,941,2596,154,2784,26602,344,0]},"pktlen": {"min":54,"avg":869.0,"max":1514,"stddev":664.6,"var":441668.3,"ent":4.4,"data": [66,58,54,203,54,1514,1322,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01961{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434904481632,"flow_dst_last_pkt_time":1569434904508320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":25916,"midstream":0,"thread_ts_usec":1569434904508320,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":93850.2,"max":613012,"stddev":192589.9,"var":37090865152.0,"ent":2.7,"data": [400153,400486,228,717,612677,12,613012,424,482,834,426,507,936,1134,423,1552,361,732,1082,417726,1390,103,419479,654,405,941,2596,154,2784,26602,344]},"pktlen": {"min":54,"avg":869.0,"max":1514,"stddev":664.6,"var":441668.3,"ent":4.4,"data": [66,58,54,203,54,1514,1322,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01153{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":534,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":163,"flow_dst_packets_processed":371,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434972556095,"flow_dst_last_pkt_time":1569434912545467,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":299,"flow_dst_tot_l4_payload_len":500298,"midstream":0,"thread_ts_usec":1569434972556095,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00576{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":534,"source":"exe_download_as_png.pcap","alias":"nDPId-test","packets-captured":534,"packets-processed":534,"total-skipped-flows":0,"total-l4-payload-len":500597,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1569434972556095}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6051229 bytes
-~~ total memory freed........: 6051229 bytes
+~~ total memory allocated....: 6051225 bytes
+~~ total memory freed........: 6051225 bytes
 ~~ total allocations/frees...: 122026/122026
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
-~~ json string max len.......: 1968 chars
-~~ json string avg len.......: 1181 chars
+~~ json string max len.......: 1966 chars
+~~ json string avg len.......: 1180 chars
diff --git a/test/results/facebook.pcap.out b/test/results/facebook.pcap.out
index 1a5340b6f..3eed8a9b8 100644
--- a/test/results/facebook.pcap.out
+++ b/test/results/facebook.pcap.out
@@ -13,7 +13,7 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1472393123682902,"flow_dst_last_pkt_time":1472393123682883,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1472393123682902,"pkt":"mAyC0zx8MFLLbJwbCABFAAA0dR5AAEAGZLrAqCsSHw1WJK5GAbsvASg+cOnYd4AQAOVhEgAAAQEICgBLXUglRdDW"}
 01068{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393123683095,"flow_dst_last_pkt_time":1472393123682883,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1472393123683095,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.facebook.com","tls": {"version":"TLSv1.2","ja3":"5c60e71f1b8cd40e4d40ed5b6d666e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,spdy\/3.1,http\/1.1"}}}
 01128{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393123683095,"flow_dst_last_pkt_time":1472393123838069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":146,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1472393123838069,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.facebook.com","tls": {"version":"TLSv1.2","ja3":"5c60e71f1b8cd40e4d40ed5b6d666e3f","ja3s":"96681175a9547081bf3d417f1a572091","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,spdy\/3.1,http\/1.1"}}}
-01734{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124118414,"flow_dst_last_pkt_time":1472393124118402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":992,"flow_dst_tot_l4_payload_len":15090,"midstream":0,"thread_ts_usec":1472393124118414,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":36622.1,"max":154982,"stddev":57898.8,"var":3352273664.0,"ent":3.3,"data": [132117,132136,193,154701,485,154982,244,3282,129361,125921,442,418,797,119231,4520,123730,627,605,1230,4940,621,5568,8878,7797,16680,916,530,1441,790,657,1444,0]},"pktlen": {"min":66,"avg":569.1,"max":1454,"stddev":613.3,"var":376153.1,"ent":4.2,"data": [74,74,66,583,66,212,66,117,452,147,104,104,108,66,1454,445,66,1454,590,66,1454,1454,66,1454,1454,66,1454,1454,66,1454,1454,66]},"bins": {"c_to_s": [10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124118414,"flow_dst_last_pkt_time":1472393124118402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":992,"flow_dst_tot_l4_payload_len":15090,"midstream":0,"thread_ts_usec":1472393124118414,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":36622.1,"max":154982,"stddev":57898.8,"var":3352273664.0,"ent":3.3,"data": [132117,132136,193,154701,485,154982,244,3282,129361,125921,442,418,797,119231,4520,123730,627,605,1230,4940,621,5568,8878,7797,16680,916,530,1441,790,657,1444]},"pktlen": {"min":66,"avg":569.1,"max":1454,"stddev":613.3,"var":376153.1,"ent":4.2,"data": [74,74,66,583,66,212,66,117,452,147,104,104,108,66,1454,445,66,1454,590,66,1454,1454,66,1454,1454,66,1454,1454,66,1454,1454,66]},"bins": {"c_to_s": [10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00767{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1472393122365661,"flow_src_last_pkt_time":1472393123408152,"flow_dst_last_pkt_time":1472393123665163,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":383,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":743,"flow_dst_tot_l4_payload_len":3732,"midstream":0,"thread_ts_usec":1472393124229315,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00922{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":22,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124218612,"flow_dst_last_pkt_time":1472393124229315,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":20642,"midstream":0,"thread_ts_usec":1472393124229315,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","packets-captured":60,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":26519,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":19,"global_ts_usec":1472393124229315}
@@ -25,10 +25,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6054430 bytes
-~~ total memory freed........: 6054430 bytes
+~~ total memory allocated....: 6054422 bytes
+~~ total memory freed........: 6054422 bytes
 ~~ total allocations/frees...: 121580/121580
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 1739 chars
-~~ json string avg len.......: 1110 chars
+~~ json string max len.......: 1737 chars
+~~ json string avg len.......: 1109 chars
diff --git a/test/results/fastcgi.pcap.out b/test/results/fastcgi.pcap.out
index 1d849c5ce..a21f9b2b6 100644
--- a/test/results/fastcgi.pcap.out
+++ b/test/results/fastcgi.pcap.out
@@ -5,7 +5,7 @@
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1280403893598699,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1280403893598868,"pkt":"AAvNgo+GABzEfBq8CABFAAA8AABAAEAGJqkKAAALCgAACSMolW5v2bTavtEyUKASFqBTYwAAAgQFtAQCCAoN02\/TIuta2wEDAwc="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1280403893598925,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1280403893598925,"pkt":"ABzEfBq8AAvNgo+GCABFAAA0aJVAAEAGvhsKAAAJCgAAC5VuIyi+0TJQb9m024AQAFyYcwAAAQEICiLrWtsN02\/T"}
 00855{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403893599034,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1071,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1280403893599034,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
-01661{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403895619664,"flow_dst_last_pkt_time":1280403895619673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":14480,"midstream":0,"thread_ts_usec":1280403895619673,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":130385.1,"max":2020143,"stddev":496240.3,"var":246254469120.0,"ent":1.0,"data": [169,226,42,67,15,217,77,12,83,12,48,16,2019881,2020143,186,63,52,55,94,90,42,33,32,28,26,27,50,53,34,34,32,0]},"pktlen": {"min":66,"avg":553.2,"max":1514,"stddev":672.8,"var":452637.9,"ent":3.9,"data": [74,74,66,82,1121,74,66,74,74,66,66,66,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01659{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403895619664,"flow_dst_last_pkt_time":1280403895619673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":14480,"midstream":0,"thread_ts_usec":1280403895619673,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":130385.1,"max":2020143,"stddev":496240.3,"var":246254469120.0,"ent":1.0,"data": [169,226,42,67,15,217,77,12,83,12,48,16,2019881,2020143,186,63,52,55,94,90,42,33,32,28,26,27,50,53,34,34,32]},"pktlen": {"min":66,"avg":553.2,"max":1514,"stddev":672.8,"var":452637.9,"ent":3.9,"data": [74,74,66,82,1121,74,66,74,74,66,66,66,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00904{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":102,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":54,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403897015424,"flow_dst_last_pkt_time":1280403897015595,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":64400,"midstream":0,"thread_ts_usec":1280403897015595,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":102,"source":"fastcgi.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":102,"total-skipped-flows":0,"total-l4-payload-len":65495,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1280403897015595}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040690 bytes
-~~ total memory freed........: 6040690 bytes
+~~ total memory allocated....: 6040686 bytes
+~~ total memory freed........: 6040686 bytes
 ~~ total allocations/frees...: 121592/121592
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1666 chars
-~~ json string avg len.......: 1024 chars
+~~ json string max len.......: 1664 chars
+~~ json string avg len.......: 1023 chars
diff --git a/test/results/firefox.pcap.out b/test/results/firefox.pcap.out
index 0fac31ebc..3fa5522c2 100644
--- a/test/results/firefox.pcap.out
+++ b/test/results/firefox.pcap.out
@@ -8,7 +8,7 @@
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927997782476,"flow_dst_last_pkt_time":1620927997814169,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620927997814169,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998782772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927998782772,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998782772,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927998782772,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Esl\/AbveSGQcAAAAALAC\/\/\/OTgAAAgQFtAEDAwUBAQgKNAyYZQAAAAAEAgAA"}
-01704{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":33,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927998776498,"flow_dst_last_pkt_time":1620927998804931,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1348,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620927998804931,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":66861.1,"max":576607,"stddev":148076.5,"var":21926651904.0,"ent":2.8,"data": [26706,26798,1311,27344,5752,45,31822,499,455,210977,313,236002,29,1309,26,26092,3,575380,1218,576607,259,117,346,122,123,243,1357,145807,171406,2874,1353,0]},"pktlen": {"min":66,"avg":599.1,"max":1506,"stddev":633.0,"var":400627.7,"ent":4.2,"data": [78,74,66,583,66,1506,1506,66,772,66,146,452,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,431,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":33,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927998776498,"flow_dst_last_pkt_time":1620927998804931,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1348,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620927998804931,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":66861.1,"max":576607,"stddev":148076.5,"var":21926651904.0,"ent":2.8,"data": [26706,26798,1311,27344,5752,45,31822,499,455,210977,313,236002,29,1309,26,26092,3,575380,1218,576607,259,117,346,122,123,243,1357,145807,171406,2874,1353]},"pktlen": {"min":66,"avg":599.1,"max":1506,"stddev":633.0,"var":400627.7,"ent":4.2,"data": [78,74,66,583,66,1506,1506,66,772,66,146,452,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,431,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927998806443,"flow_dst_last_pkt_time":1620927998806443,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927998806443,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1620927998806443,"flow_dst_last_pkt_time":1620927998806443,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927998806443,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmEAbtCftk8AAAAALAC\/\/\/03wAAAgQFtAEDAwUBAQgKNAyYeQAAAAAEAgAA"}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998817178,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927998817178,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yX\/JSxfE3khkHaAS\/oi4VgAAAgQFrAQCCAo8IAs5NAyYZQEDAwc="}
@@ -27,7 +27,7 @@
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":86,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1620927999112216,"flow_dst_last_pkt_time":1620927999112216,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927999112216,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmRAbvLRPiuAAAAALAC\/\/9LkAAAAgQFtAEDAwUBAQgKNAyZgwAAAAAEAgAA"}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999109976,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999138093,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yY9yeaT2oLD166AS\/ogrVAAAAgQFrAQCCAo8IAx5NAyZgQEDAwc="}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999111334,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999138095,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZBJLtVRAr1wcaAS\/ohHrwAAAgQFrAQCCAo8IAx6NAyZggEDAwc="}
-01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999138109,"flow_dst_last_pkt_time":1620927999138090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1491,"flow_dst_tot_l4_payload_len":17379,"midstream":0,"thread_ts_usec":1620927999138109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":22924.4,"max":231008,"stddev":52648.8,"var":2771896832.0,"ent":3.0,"data": [34406,34489,3261,32258,1506,30479,4158,18595,31638,14,8894,18473,2988,120,21557,203508,231008,997,180,13,28684,187,199,924,71,1013,133,374,19,9,500,0]},"pktlen": {"min":66,"avg":656.3,"max":1506,"stddev":649.7,"var":422101.6,"ent":4.2,"data": [78,74,66,746,66,326,66,146,416,66,369,66,66,1506,1042,66,447,66,1506,1506,1506,66,1506,66,1506,1506,66,1506,1506,1506,1506,66]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01698{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999138109,"flow_dst_last_pkt_time":1620927999138090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1491,"flow_dst_tot_l4_payload_len":17379,"midstream":0,"thread_ts_usec":1620927999138109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":22924.4,"max":231008,"stddev":52648.8,"var":2771896832.0,"ent":3.0,"data": [34406,34489,3261,32258,1506,30479,4158,18595,31638,14,8894,18473,2988,120,21557,203508,231008,997,180,13,28684,187,199,924,71,1013,133,374,19,9,500]},"pktlen": {"min":66,"avg":656.3,"max":1506,"stddev":649.7,"var":422101.6,"ent":4.2,"data": [78,74,66,746,66,326,66,146,416,66,369,66,66,1506,1042,66,447,66,1506,1506,1506,66,1506,66,1506,1506,66,1506,1506,1506,1506,66]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":118,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1620927999138163,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620927999138163,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmPAbugsPXrcnmk94AQECxIWgAAAQEICjQMmZw8IAx5"}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1620927999138166,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620927999138166,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmQAbsCvXBxSS7VUoAQECxktgAAAQEICjQMmZw8IAx6"}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999112216,"flow_dst_last_pkt_time":1620927999140847,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999140847,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZFyBGfZy0T4r6AS\/og7hgAAAgQFrAQCCAo8IAx9NAyZgwEDAwc="}
@@ -35,16 +35,16 @@
 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999141444,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999141444,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999143664,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999143664,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":126,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999148674,"flow_dst_last_pkt_time":1620927999140847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999148674,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01577{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":23282.8,"max":221390,"stddev":50495.5,"var":2549799168.0,"ent":3.1,"data": [27372,27441,16192,42139,1225,27152,10064,34749,19,24715,195798,221390,1843,27432,3443,28677,1090,241,26560,1009,109,1111,130,120,236,127,123,253,261,233,512,0]},"pktlen": {"min":66,"avg":622.9,"max":1506,"stddev":649.7,"var":422127.9,"ent":4.2,"data": [78,74,66,746,66,326,66,146,66,369,66,433,66,1406,66,436,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]}}
+01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":23282.8,"max":221390,"stddev":50495.5,"var":2549799168.0,"ent":3.1,"data": [27372,27441,16192,42139,1225,27152,10064,34749,19,24715,195798,221390,1843,27432,3443,28677,1090,241,26560,1009,109,1111,130,120,236,127,123,253,261,233,512]},"pktlen": {"min":66,"avg":622.9,"max":1506,"stddev":649.7,"var":422127.9,"ent":4.2,"data": [78,74,66,746,66,326,66,146,66,369,66,433,66,1406,66,436,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]}}
 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999141444,"flow_dst_last_pkt_time":1620927999169718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999169718,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999143664,"flow_dst_last_pkt_time":1620927999170826,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999170826,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999148674,"flow_dst_last_pkt_time":1620927999179715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999179715,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":7431.5,"max":29597,"stddev":10227.7,"var":104605344.0,"ent":3.7,"data": [26761,26832,3278,29208,2415,28362,2863,12850,29597,2,13859,11433,1695,114,13236,128,293,994,822,122,164,127,63,168,80,256,81,263,11998,12186,128,0]},"pktlen": {"min":66,"avg":614.5,"max":1506,"stddev":660.2,"var":435829.6,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,66,1506,1506,66,1506]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1]}}
+01558{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":7431.5,"max":29597,"stddev":10227.7,"var":104605344.0,"ent":3.7,"data": [26761,26832,3278,29208,2415,28362,2863,12850,29597,2,13859,11433,1695,114,13236,128,293,994,822,122,164,127,63,168,80,256,81,263,11998,12186,128]},"pktlen": {"min":66,"avg":614.5,"max":1506,"stddev":660.2,"var":435829.6,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,66,1506,1506,66,1506]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1]}}
 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":8622.9,"max":45603,"stddev":12422.0,"var":154305440.0,"ent":3.6,"data": [28117,28187,5501,31657,1076,27239,20259,3957,45603,1275,22621,2846,3133,147,6125,104,193,162,80,94,95,129,121,148,217,366,254,1527,18636,26,17416,0]},"pktlen": {"min":66,"avg":592.4,"max":1506,"stddev":641.5,"var":411570.0,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,1506,66,1506,799,66]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0]}}
+01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":8622.9,"max":45603,"stddev":12422.0,"var":154305440.0,"ent":3.6,"data": [28117,28187,5501,31657,1076,27239,20259,3957,45603,1275,22621,2846,3133,147,6125,104,193,162,80,94,95,129,121,148,217,366,254,1527,18636,26,17416]},"pktlen": {"min":66,"avg":592.4,"max":1506,"stddev":641.5,"var":411570.0,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,1506,66,1506,799,66]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0]}}
 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9847.8,"max":37388,"stddev":13420.2,"var":180101408.0,"ent":3.6,"data": [28631,28716,7742,37388,1480,31124,2184,12981,31005,84,15910,15394,488,119,15971,252,383,635,139,236,17,375,2,151,475,36484,124,120,36112,183,377,0]},"pktlen": {"min":66,"avg":547.2,"max":1506,"stddev":619.5,"var":383804.7,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,1506,66,1506,1506,412,66,66,66,445,66,1506,1506,66,66,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1]}}
+01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9847.8,"max":37388,"stddev":13420.2,"var":180101408.0,"ent":3.6,"data": [28631,28716,7742,37388,1480,31124,2184,12981,31005,84,15910,15394,488,119,15971,252,383,635,139,236,17,375,2,151,475,36484,124,120,36112,183,377]},"pktlen": {"min":66,"avg":547.2,"max":1506,"stddev":619.5,"var":383804.7,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,1506,66,1506,1506,412,66,66,66,445,66,1506,1506,66,66,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1]}}
 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":436,"flow_dst_packets_processed":629,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927999853445,"flow_dst_last_pkt_time":1620927999852827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":4766,"flow_dst_tot_l4_payload_len":886436,"midstream":0,"thread_ts_usec":1620927999948696,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":408,"flow_dst_packets_processed":623,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999948696,"flow_dst_last_pkt_time":1620927999948604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3687,"flow_dst_tot_l4_payload_len":865816,"midstream":0,"thread_ts_usec":1620927999948696,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -61,10 +61,10 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6547632 bytes
-~~ total memory freed........: 6547632 bytes
+~~ total memory allocated....: 6547608 bytes
+~~ total memory freed........: 6547608 bytes
 ~~ total allocations/frees...: 127043/127043
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1709 chars
-~~ json string avg len.......: 1099 chars
+~~ json string max len.......: 1707 chars
+~~ json string avg len.......: 1098 chars
diff --git a/test/results/fix.pcap.out b/test/results/fix.pcap.out
index 62611267e..e58932945 100644
--- a/test/results/fix.pcap.out
+++ b/test/results/fix.pcap.out
@@ -29,7 +29,7 @@
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"fix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1493755109654913,"flow_dst_last_pkt_time":1493755109655079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755109655079,"pkt":"ACJNe\/gxTHK5MeMlCABFAAA07JVAAEAGb0LAqAAUCBEWH7taD6B8NqfnDJ+ZSYAQhgAbHwAAAQEICho\/VIrKvigo"}
 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"fix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1493755109654913,"flow_dst_last_pkt_time":1493755109655263,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":152,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":118,"thread_ts_usec":1493755109655263,"pkt":"ACJNe\/gxTHK5MeMlCABFAACK7JZAAEAGbuvAqAAUCBEWH7taD6B8NqfnDJ+ZSYAYhgDh+QAAAQEICho\/VIrKvigoOD1GSVhDT01QATk9NzEBeJwNx7ENgDAMBED9QER+x684kdwisQEtDR0N+xdw3WXtx9miEbPMQugqQ48\/iuGQlxuHyXzjXMrlCdLrvt4HtKKED90WDdY="}
 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1493755109941137,"flow_dst_last_pkt_time":1493755109440588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1493755109941137,"pkt":"THK5MeMlACJNe\/gxCABFAABLyzQAADIGwMPQ9WsDwKgAFA+gshDsZRDXr0wvBlAYWgiDjAAAOD1PATk9MDAyNAEzNT1HAQCIAAAAWQxAldWZn+Q2dgAAAAE="}
-01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755110311293,"flow_dst_last_pkt_time":1493755110311459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":86,"midstream":1,"thread_ts_usec":1493755110311459,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":170,"avg":65174.2,"max":314954,"stddev":68088.5,"var":4636038656.0,"ent":4.4,"data": [170,209,52428,3585,93980,87569,49399,50741,50707,52796,52875,49653,49630,49737,49707,49456,49402,49750,49791,49981,50005,49926,49930,49589,49596,49797,49760,50218,50168,314891,314954,0]},"pktlen": {"min":54,"avg":107.1,"max":511,"stddev":87.5,"var":7658.2,"ent":4.7,"data": [93,60,140,169,54,60,511,60,230,60,233,60,143,60,110,60,185,60,112,60,81,60,106,60,81,60,89,60,108,60,81,60]},"bins": {"c_to_s": [4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755110311293,"flow_dst_last_pkt_time":1493755110311459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":86,"midstream":1,"thread_ts_usec":1493755110311459,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":170,"avg":65174.2,"max":314954,"stddev":68088.5,"var":4636038656.0,"ent":4.4,"data": [170,209,52428,3585,93980,87569,49399,50741,50707,52796,52875,49653,49630,49737,49707,49456,49402,49750,49791,49981,50005,49926,49930,49589,49596,49797,49760,50218,50168,314891,314954]},"pktlen": {"min":54,"avg":107.1,"max":511,"stddev":87.5,"var":7658.2,"ent":4.7,"data": [93,60,140,169,54,60,511,60,230,60,233,60,143,60,110,60,185,60,112,60,81,60,106,60,81,60,89,60,108,60,81,60]},"bins": {"c_to_s": [4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110320014,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":77,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":77,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110320014,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38652,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00613{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":131,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":131,"pkt_l4_len":97,"thread_ts_usec":1493755110320014,"pkt":"THK5MeMlACJNe\/gxCABFAAB1U\/wAADIGN9LQ9WsDwKgAFA+glvwzTd9PWnk+l1AYb96N\/wAAOD1PATk9MDA2NgEzNT1HAQHYAAAABVkI5OEMFeFiPZCEMAATlYJyAAAABFkI5OEMFVZHfdCEMAATwIJ3AAAABlkI5OEIW+2APQJxEAQ="}
 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110320014,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":77,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":77,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110320014,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38652,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
@@ -38,14 +38,14 @@
 00846{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":88,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755110328857,"flow_dst_last_pkt_time":1493755110328857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110328857,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1493755110328857,"flow_dst_last_pkt_time":1493755110328967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755110328967,"pkt":"ACJNe\/gxTHK5MeMlCABFAAA0b9ZAAEAG7AHAqAAUCBEWH5\/WD6D+vKsbjSdUdYAQ\/\/\/knQAAAQEICtZGrHjKvirJ"}
 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110362185,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1493755110362185,"pkt":"ACJNe\/gxTHK5MeMlCABFAAAouAtAAEAGhg\/AqAAU0PVrA5b8D6BaeT6XM03fnFAQ\/GxkGwAAAAAAAAAA"}
-01694{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":114,"source":"fix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109264927,"flow_src_last_pkt_time":1493755110667807,"flow_dst_last_pkt_time":1493755110668000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":553,"flow_dst_tot_l4_payload_len":87,"midstream":1,"thread_ts_usec":1493755110668000,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":90514.6,"max":300186,"stddev":84141.6,"var":7079807488.0,"ent":4.2,"data": [147,100141,123,100163,124,100018,123,100053,25,99913,99995,100225,100166,100788,100836,300170,29,300186,26,222,17881,82390,142005,200503,158539,99966,99944,398,386,200212,200256,0]},"pktlen": {"min":66,"avg":86.0,"max":153,"stddev":23.6,"var":558.3,"ent":4.9,"data": [96,66,101,92,66,66,101,100,66,66,92,66,135,66,91,66,105,135,66,66,153,66,105,66,101,66,101,66,90,66,98,66]},"bins": {"c_to_s": [6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":114,"source":"fix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109264927,"flow_src_last_pkt_time":1493755110667807,"flow_dst_last_pkt_time":1493755110668000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":553,"flow_dst_tot_l4_payload_len":87,"midstream":1,"thread_ts_usec":1493755110668000,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":90514.6,"max":300186,"stddev":84141.6,"var":7079807488.0,"ent":4.2,"data": [147,100141,123,100163,124,100018,123,100053,25,99913,99995,100225,100166,100788,100836,300170,29,300186,26,222,17881,82390,142005,200503,158539,99966,99944,398,386,200212,200256]},"pktlen": {"min":66,"avg":86.0,"max":153,"stddev":23.6,"var":558.3,"ent":4.9,"data": [96,66,101,92,66,66,101,100,66,66,92,66,135,66,91,66,105,135,66,66,153,66,105,66,101,66,101,66,90,66,98,66]},"bins": {"c_to_s": [6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1493755111422176,"flow_dst_last_pkt_time":1493755110328967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1493755111422176,"pkt":"THK5MeMlACJNe\/gxCABFAABwiaEAAPUGXPoIERYfwKgAFA+gn9aNJ1R1\/ryrG4AY\/\/+zfAAAAQEICsq+Lw\/WRqx4OD1PATk9MDA0OQEzNT1HAQFQAAAADVkI5OEMFgYg3VCIUAATiYF3AAAADFkI5OEMB9wg3RAAEAATiYAA"}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755111956116,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755111956116,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38646,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1493755111956116,"pkt":"THK5MeMlACJNe\/gxCABFAABP7\/wAADIGm\/fQ9WsDwKgAFA+glvYLJrChYuT9OVAYYmg1SgAAOD1GSVguNC4xATk9MDAwMTQBMzU9MQExMTI9ZmFybQExMD0yMTcB"}
 00850{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755111956116,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755111956116,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38646,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956292,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1493755111956292,"pkt":"ACJNe\/gxTHK5MeMlCABFAAAoPOZAAEAGATXAqAAU0PVrA5b2D6Bi5P05CyawyFAQ\/Gz0DgAAAAAAAAAA"}
 00630{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":157,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956474,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1493755111956474,"pkt":"ACJNe\/gxTHK5MeMlCABFAAB9POdAAEAGAN\/AqAAU0PVrA5b2D6Bi5P05CyawyFAY\/GyQmgAAOD1GSVhDT01QATk9NzABeJwFwTEKgEAMBEDyII\/dJIu5g7SCP7C1sbPx\/4Uz1cd5jRy02UDKQg2LbFAVafJ2cIfgG+dSraCR3s\/9vUY05fYD3SIN0A=="}
-01717{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"fix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109242949,"flow_src_last_pkt_time":1493755111999185,"flow_dst_last_pkt_time":1493755111999341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":1313,"flow_dst_tot_l4_payload_len":85,"midstream":1,"thread_ts_usec":1493755111999341,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":43594,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":177826.7,"max":291268,"stddev":112931.7,"var":12753577984.0,"ent":4.5,"data": [209,293,265,250589,114,250615,24,223,18233,232135,291268,250073,208970,250691,250733,250586,250560,250658,250654,250671,250658,250632,30,250660,26,251471,251453,249735,249759,250325,250315,0]},"pktlen": {"min":66,"avg":109.7,"max":254,"stddev":52.0,"var":2700.5,"ent":4.8,"data": [152,66,91,66,105,152,66,66,151,66,169,66,169,66,186,66,169,66,169,66,118,66,254,113,66,66,135,66,203,66,118,66]},"bins": {"c_to_s": [2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"fix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109242949,"flow_src_last_pkt_time":1493755111999185,"flow_dst_last_pkt_time":1493755111999341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":1313,"flow_dst_tot_l4_payload_len":85,"midstream":1,"thread_ts_usec":1493755111999341,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":43594,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":177826.7,"max":291268,"stddev":112931.7,"var":12753577984.0,"ent":4.5,"data": [209,293,265,250589,114,250615,24,223,18233,232135,291268,250073,208970,250691,250733,250586,250560,250658,250654,250671,250658,250632,30,250660,26,251471,251453,249735,249759,250325,250315]},"pktlen": {"min":66,"avg":109.7,"max":254,"stddev":52.0,"var":2700.5,"ent":4.8,"data": [152,66,91,66,105,152,66,66,151,66,169,66,169,66,186,66,169,66,169,66,118,66,254,113,66,66,135,66,203,66,118,66]},"bins": {"c_to_s": [2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755113353296,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755113353296,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":39094,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1493755113353296,"pkt":"THK5MeMlACJNe\/gxCABFAABP8tQAADIGmR\/Q9WsDwKgAFA+gmLZKUJEYQJIHD1AYWpQ0OgAAOD1GSVguNC4xATk9MDAwMTQBMzU9MQExMTI9ZmFybQExMD0yMTcB"}
 00851{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755113353296,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755113353296,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":39094,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
@@ -63,8 +63,8 @@
 00848{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":419,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755117668152,"flow_src_last_pkt_time":1493755117668152,"flow_dst_last_pkt_time":1493755117668152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755117668152,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40928,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00647{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":420,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1493755117668152,"flow_dst_last_pkt_time":1493755117668466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":152,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":118,"thread_ts_usec":1493755117668466,"pkt":"ACJNe\/gxTHK5MeMlCABFAACK1yxAAEAGhFXAqAAUCBEWH5\/gD6Bu8UTiG402I4AY\/+CkEwAAAQEICnIP3\/PKvkd1OD1GSVhDT01QATk9NzEBeJwFwbENgDAMBEB5IKJ\/Ow5OpG+R2ICWho6G\/QvuSsd5td5oU0BPixQsusCsLEuXgzsSvnGurBXDSNdzf68R4gj7Ad5tDd0="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":425,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1493755117687593,"flow_dst_last_pkt_time":1493755117668466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755117687593,"pkt":"THK5MeMlACJNe\/gxCABFAAA09L8AAPUG8hcIERYfwKgAFA+gn+AbjTYjbvFFOIAQ\/\/9+KwAAAQEICsq+R4lyD9\/z"}
-01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":554,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755120254899,"flow_dst_last_pkt_time":1493755120295550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":498,"flow_dst_tot_l4_payload_len":173,"midstream":1,"thread_ts_usec":1493755120295550,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":699019.6,"max":5507323,"stddev":1280900.8,"var":1640706605056.0,"ent":3.7,"data": [168,500717,500699,200419,200471,184,89723,210661,340264,500679,460548,5507291,5507323,600979,600971,400442,400455,700964,700990,400404,400386,600557,600559,400806,400807,600830,600822,215,54314,45693,140268,0]},"pktlen": {"min":54,"avg":77.6,"max":141,"stddev":21.9,"var":481.2,"ent":4.9,"data": [89,60,89,60,93,60,141,54,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,93,60,140,54,89,60]},"bins": {"c_to_s": [2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
-01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1180,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755130974521,"flow_dst_last_pkt_time":1493755130974683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":651,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755130974683,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":110,"avg":1331983.5,"max":4175061,"stddev":1132458.4,"var":1282462056448.0,"ent":4.4,"data": [110,1093319,1093395,599016,598995,1546128,1546141,239,22763,2072709,2137804,913298,870712,442005,442027,3366066,3366054,1195438,1195405,437653,437695,1550229,1550211,211,22417,1711389,1774342,1498173,1457475,4175061,4175010,0]},"pktlen": {"min":66,"avg":91.7,"max":151,"stddev":28.5,"var":811.2,"ent":4.9,"data": [105,66,126,66,105,66,105,66,151,66,105,66,105,66,126,66,105,66,126,66,105,66,105,66,151,66,105,66,147,66,105,66]},"bins": {"c_to_s": [2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":554,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755120254899,"flow_dst_last_pkt_time":1493755120295550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":498,"flow_dst_tot_l4_payload_len":173,"midstream":1,"thread_ts_usec":1493755120295550,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":699019.6,"max":5507323,"stddev":1280900.8,"var":1640706605056.0,"ent":3.7,"data": [168,500717,500699,200419,200471,184,89723,210661,340264,500679,460548,5507291,5507323,600979,600971,400442,400455,700964,700990,400404,400386,600557,600559,400806,400807,600830,600822,215,54314,45693,140268]},"pktlen": {"min":54,"avg":77.6,"max":141,"stddev":21.9,"var":481.2,"ent":4.9,"data": [89,60,89,60,93,60,141,54,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,93,60,140,54,89,60]},"bins": {"c_to_s": [2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01756{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1180,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755130974521,"flow_dst_last_pkt_time":1493755130974683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":651,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755130974683,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":110,"avg":1331983.5,"max":4175061,"stddev":1132458.4,"var":1282462056448.0,"ent":4.4,"data": [110,1093319,1093395,599016,598995,1546128,1546141,239,22763,2072709,2137804,913298,870712,442005,442027,3366066,3366054,1195438,1195405,437653,437695,1550229,1550211,211,22417,1711389,1774342,1498173,1457475,4175061,4175010]},"pktlen": {"min":66,"avg":91.7,"max":151,"stddev":28.5,"var":811.2,"ent":4.9,"data": [105,66,126,66,105,66,105,66,151,66,105,66,105,66,126,66,105,66,126,66,105,66,105,66,151,66,105,66,147,66,105,66]},"bins": {"c_to_s": [2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":228,"flow_dst_packets_processed":228,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755132102784,"flow_dst_last_pkt_time":1493755132102954,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":14021,"flow_dst_tot_l4_payload_len":258,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00896{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":35,"flow_dst_packets_processed":35,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755131869860,"flow_dst_last_pkt_time":1493755131870022,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":1132,"flow_dst_tot_l4_payload_len":260,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00892{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":18,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755132019095,"flow_dst_last_pkt_time":1493755132019254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
@@ -86,10 +86,10 @@
 ~~ total active/idle flows...: 12/12
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6114698 bytes
-~~ total memory freed........: 6114698 bytes
+~~ total memory allocated....: 6114650 bytes
+~~ total memory freed........: 6114650 bytes
 ~~ total allocations/frees...: 122870/122870
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1763 chars
-~~ json string avg len.......: 1124 chars
+~~ json string max len.......: 1761 chars
+~~ json string avg len.......: 1123 chars
diff --git a/test/results/fix2.pcap.out b/test/results/fix2.pcap.out
index 7b13ba278..9863e4d62 100644
--- a/test/results/fix2.pcap.out
+++ b/test/results/fix2.pcap.out
@@ -10,8 +10,8 @@
 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1614758889589020,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614758889589588,"pkt":"WgXZu6TVApXG95WRCABFAAAweT8AAIAGrLMKZgAJCmUAAgQAiJMt1EWWLdRCK3ASgAF\/OwAAAgQFtAMDAQA="}
 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1614758889589590,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1614758889589590,"pkt":"5kBKB+riApXG95NLCABFAAAoeUAAAIAGAAAKZQACCmYACYiTBAAt1EIrLdRFl1AQgAEU8AAAAAAAAAAA"}
 00844{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889589592,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":85,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614758889589592,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
-01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":56,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889589960,"flow_dst_last_pkt_time":1614758889589962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":669,"flow_dst_tot_l4_payload_len":911,"midstream":0,"thread_ts_usec":1614758889589962,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":73.3,"max":652,"stddev":161.3,"var":26006.9,"ent":3.1,"data": [641,652,12,92,71,9,33,29,203,208,31,32,5,2,23,28,2,2,8,8,11,13,25,23,5,4,9,5,7,5,0,0]},"pktlen": {"min":60,"avg":106.6,"max":174,"stddev":46.7,"var":2179.9,"ent":4.9,"data": [62,62,60,139,62,60,147,144,60,152,144,152,146,60,60,147,60,60,60,152,60,174,157,174,60,60,60,60,157,147,160,152]},"bins": {"c_to_s": [7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
-01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889590049,"flow_dst_last_pkt_time":1614758889590048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":801,"midstream":0,"thread_ts_usec":1614758889590049,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":70.9,"max":570,"stddev":141.3,"var":19970.8,"ent":3.3,"data": [568,570,2,146,145,106,1,105,2,16,6,26,48,7,14,19,2,2,18,19,48,49,27,12,37,4,6,27,25,0,0,0]},"pktlen": {"min":60,"avg":106.0,"max":174,"stddev":46.1,"var":2122.5,"ent":4.9,"data": [62,62,60,139,147,144,152,62,60,144,60,60,152,146,60,147,60,152,60,174,157,147,160,60,60,60,160,162,144,60,60,60]},"bins": {"c_to_s": [6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":56,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889589960,"flow_dst_last_pkt_time":1614758889589962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":669,"flow_dst_tot_l4_payload_len":911,"midstream":0,"thread_ts_usec":1614758889589962,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":73.3,"max":652,"stddev":161.3,"var":26006.9,"ent":3.1,"data": [641,652,12,92,71,9,33,29,203,208,31,32,5,2,23,28,2,2,8,8,11,13,25,23,5,4,9,5,7,5]},"pktlen": {"min":60,"avg":106.6,"max":174,"stddev":46.7,"var":2179.9,"ent":4.9,"data": [62,62,60,139,62,60,147,144,60,152,144,152,146,60,60,147,60,60,60,152,60,174,157,174,60,60,60,60,157,147,160,152]},"bins": {"c_to_s": [7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
+01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889590049,"flow_dst_last_pkt_time":1614758889590048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":801,"midstream":0,"thread_ts_usec":1614758889590049,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":70.9,"max":570,"stddev":141.3,"var":19970.8,"ent":3.3,"data": [568,570,2,146,145,106,1,105,2,16,6,26,48,7,14,19,2,2,18,19,48,49,27,12,37,4,6,27,25]},"pktlen": {"min":60,"avg":106.0,"max":174,"stddev":46.1,"var":2122.5,"ent":4.9,"data": [62,62,60,139,147,144,152,62,60,144,60,60,152,146,60,147,60,152,60,174,157,147,160,60,60,60,160,162,144,60,60,60]},"bins": {"c_to_s": [6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00899{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":683,"flow_dst_packets_processed":1304,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889595345,"flow_dst_last_pkt_time":1614758889595344,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":13395,"flow_dst_tot_l4_payload_len":26148,"midstream":0,"thread_ts_usec":1614758889595345,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00898{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":411,"flow_dst_packets_processed":648,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889595307,"flow_dst_last_pkt_time":1614758889595305,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":10864,"flow_dst_tot_l4_payload_len":17549,"midstream":0,"thread_ts_usec":1614758889595345,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","packets-captured":3049,"packets-processed":3046,"total-skipped-flows":0,"total-l4-payload-len":67956,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1614758889595345}
@@ -23,10 +23,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6129703 bytes
-~~ total memory freed........: 6129703 bytes
+~~ total memory allocated....: 6129695 bytes
+~~ total memory freed........: 6129695 bytes
 ~~ total allocations/frees...: 124545/124545
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1604 chars
-~~ json string avg len.......: 1034 chars
+~~ json string max len.......: 1598 chars
+~~ json string avg len.......: 1031 chars
diff --git a/test/results/flow-info/1kxun.pcap.out b/test/results/flow-info/1kxun.pcap.out
index 395518d6e..17e357fae 100644
--- a/test/results/flow-info/1kxun.pcap.out
+++ b/test/results/flow-info/1kxun.pcap.out
@@ -76,7 +76,7 @@
                    [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 0.0,52.1,52.2,0.0,5.5,0.0,48.2,11.6,0.8,0.1,0.1,0.0,0.3,0.0,0.0,0.0,0.5,56.2,0.0,50.5,3.5,0.1,0.1,53.9,0.0,17.7,0.1,0.1,0.1,0.0,0.1,0.0]
+                   [IATS(ms)....: 0.0,52.1,52.2,0.0,5.5,0.0,48.2,11.6,0.8,0.1,0.1,0.0,0.3,0.0,0.0,0.0,0.5,56.2,0.0,50.5,3.5,0.1,0.1,53.9,0.0,17.7,0.1,0.1,0.1,0.0,0.1]
                    [PKTLENS.....: 66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314]
           analyse: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -85,7 +85,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0]
-                   [IATS(ms)....: 0.0,54.6,54.7,0.0,4.2,0.1,64.5,0.1,0.0,0.0,0.1,0.0,0.7,0.1,0.1,0.1,61.7,0.0,0.9,65.4,0.1,66.2,0.1,0.5,2.9,0.6,0.1,0.1,0.1,3.9,0.0,0.0]
+                   [IATS(ms)....: 0.0,54.6,54.7,0.0,4.2,0.1,64.5,0.1,0.0,0.0,0.1,0.0,0.7,0.1,0.1,0.1,61.7,0.0,0.9,65.4,0.1,66.2,0.1,0.5,2.9,0.6,0.1,0.1,0.1,3.9,0.0]
                    [PKTLENS.....: 66,66,66,54,54,413,413,60,373,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54]
           analyse: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -94,7 +94,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.0,53.2,53.3,0.0,4.6,0.1,61.5,0.0,0.3,0.1,57.3,0.0,5.1,0.1,0.3,0.0,0.3,0.1,5.9,0.0,1.4,65.1,0.1,0.1,0.1,66.8,0.0,3.8,0.1,0.8,0.1,0.0]
+                   [IATS(ms)....: 0.0,53.2,53.3,0.0,4.6,0.1,61.5,0.0,0.3,0.1,57.3,0.0,5.1,0.1,0.3,0.0,0.3,0.1,5.9,0.0,1.4,65.1,0.1,0.1,0.1,66.8,0.0,3.8,0.1,0.8,0.1]
                    [PKTLENS.....: 66,66,66,54,54,415,415,60,373,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]
           analyse: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -103,7 +103,7 @@
                    [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0]
-                   [IATS(ms)....: 0.0,50.7,50.8,0.0,5.7,0.0,60.3,0.1,0.1,0.1,0.0,0.1,0.7,0.0,0.0,0.1,0.3,56.3,0.0,72.3,0.1,0.0,0.1,0.2,0.1,0.1,0.1,0.3,0.0,96.5,0.1,0.0]
+                   [IATS(ms)....: 0.0,50.7,50.8,0.0,5.7,0.0,60.3,0.1,0.1,0.1,0.0,0.1,0.7,0.0,0.0,0.1,0.3,56.3,0.0,72.3,0.1,0.0,0.1,0.2,0.1,0.1,0.1,0.3,0.0,96.5,0.1]
                    [PKTLENS.....: 66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1314,932,423,423]
           analyse: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -112,7 +112,7 @@
                    [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.1,51.9,52.1,0.0,5.2,0.1,60.5,0.9,0.0,0.0,0.1,0.0,0.4,0.1,0.0,0.1,0.2,85.1,142.0,0.0,40.8,2.5,0.1,0.1,0.1,43.6,0.1,0.4,0.1,0.1,0.0,0.0]
+                   [IATS(ms)....: 0.1,51.9,52.1,0.0,5.2,0.1,60.5,0.9,0.0,0.0,0.1,0.0,0.4,0.1,0.0,0.1,0.2,85.1,142.0,0.0,40.8,2.5,0.1,0.1,0.1,43.6,0.1,0.4,0.1,0.1,0.0]
                    [PKTLENS.....: 66,66,66,54,54,416,416,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]
               new: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] 
          detected: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][System][Dangerous]
@@ -128,7 +128,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1]
-                   [IATS(ms)....: 0.1,37.8,38.0,0.1,1.8,0.1,39.0,109.8,0.2,146.8,0.0,0.3,0.1,0.1,0.1,0.5,0.0,0.2,0.1,0.1,0.4,0.0,0.2,36.3,36.5,0.0,0.4,0.1,0.5,0.1,0.1,0.0]
+                   [IATS(ms)....: 0.1,37.8,38.0,0.1,1.8,0.1,39.0,109.8,0.2,146.8,0.0,0.3,0.1,0.1,0.1,0.5,0.0,0.2,0.1,0.1,0.4,0.0,0.2,36.3,36.5,0.0,0.4,0.1,0.5,0.1,0.1]
                    [PKTLENS.....: 66,66,66,54,54,411,411,60,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,54,54,1314,1314,1314,1314,1314]
               new: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] 
          detected: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] [HTTP][Web][Acceptable]
@@ -166,7 +166,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0]
-                   [IATS(ms)....: 0.1,76.5,76.6,0.0,1.1,0.0,62.3,0.1,61.8,0.0,298.9,0.1,399.0,66.5,0.2,166.1,0.0,60.3,0.5,0.1,60.8,0.0,117.1,0.0,178.1,0.5,62.0,0.0,102.3,44.3,349.7,0.0]
+                   [IATS(ms)....: 0.1,76.5,76.6,0.0,1.1,0.0,62.3,0.1,61.8,0.0,298.9,0.1,399.0,66.5,0.2,166.1,0.0,60.3,0.5,0.1,60.8,0.0,117.1,0.0,178.1,0.5,62.0,0.0,102.3,44.3,349.7]
                    [PKTLENS.....: 66,66,62,54,54,306,306,60,79,499,499,499,499,60,1314,1314,54,54,1314,1314,542,54,54,281,281,60,79,491,491,60,747,54]
          detected: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Web][Acceptable]
                    RISK: HTTP Numeric IP Address
@@ -191,7 +191,7 @@
                    [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.0,69.3,69.4,0.0,1.9,0.0,67.9,1.4,6.1,0.3,74.0,0.0,665.9,862.8,0.0,408.6,411.0,0.0,251.4,251.8,0.0,336.8,336.0,0.1,329.9,0.2,130.8,0.1,599.5,799.2,0.1,0.0]
+                   [IATS(ms)....: 0.0,69.3,69.4,0.0,1.9,0.0,67.9,1.4,6.1,0.3,74.0,0.0,665.9,862.8,0.0,408.6,411.0,0.0,251.4,251.8,0.0,336.8,336.0,0.1,329.9,0.2,130.8,0.1,599.5,799.2,0.1]
                    [PKTLENS.....: 66,66,60,54,54,557,557,60,335,1078,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,1078,54,54,1078,54,54]
               new: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] 
               new: [....57] [ip4][..tcp] [..192.168.115.8][49596] -> [..203.66.182.87][..443] [MIDSTREAM] 
@@ -338,7 +338,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 0.0,54.5,54.6,0.0,4.9,0.0,65.5,0.1,0.1,0.4,0.1,0.1,0.2,0.0,0.0,0.0,0.0,61.5,0.0,69.0,0.1,0.1,0.0,0.7,0.1,0.1,0.1,0.5,70.7,0.0,45001.1,0.0]
+                   [IATS(ms)....: 0.0,54.5,54.6,0.0,4.9,0.0,65.5,0.1,0.1,0.4,0.1,0.1,0.2,0.0,0.0,0.0,0.0,61.5,0.0,69.0,0.1,0.1,0.0,0.7,0.1,0.1,0.1,0.5,70.7,0.0,45001.1]
                    [PKTLENS.....: 66,66,66,54,54,415,415,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1281,54,54,55]
               new: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] 
          detected: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] [NetBIOS][System][Acceptable]
@@ -586,7 +586,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 356.2,0.1,308.1,0.1,2.4,3.2,0.1,200.2,0.1,0.0,0.0,0.0,0.0,0.0,1.6,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,895.3,372.0,0.0,1.3,0.1,1.9,0.0,0.0,0.0]
+                   [IATS(ms)....: 356.2,0.1,308.1,0.1,2.4,3.2,0.1,200.2,0.1,0.0,0.0,0.0,0.0,0.0,1.6,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,895.3,372.0,0.0,1.3,0.1,1.9]
                    [PKTLENS.....: 278,387,13026,14466,2946,2946,1506,7266,2946,1506,2946,2946,1506,1506,1506,1506,1506,4386,6338,2946,2946,1506,1506,1506,802,274,387,17346,21666,1506,4386,17346]
           analyse: [...139] [ip4][..tcp] [..192.168.2.126][60148] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -595,7 +595,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17]
                    [DIRECTIONS..: 0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1]
-                   [IATS(ms)....: 306.1,4.8,325.8,248.8,4660.9,4604.2,0.4,0.6,0.8,1.0,367.7,0.1,0.1,2.5,311.4,0.1,1.7,0.1,878.3,204.5,1.6,1.1,216.5,375.5,0.0,1.5,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 306.1,4.8,325.8,248.8,4660.9,4604.2,0.4,0.6,0.8,1.0,367.7,0.1,0.1,2.5,311.4,0.1,1.7,0.1,878.3,204.5,1.6,1.1,216.5,375.5,0.0,1.5]
                    [PKTLENS.....: 268,384,6298,268,384,5682,278,386,1506,1506,7266,2946,5826,2946,10146,2946,1506,5826,2946,1506,8706,1506,5768,277,386,20226,21666,15363,278,387,2946,21666]
           analyse: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -604,7 +604,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 348.4,0.1,2.6,311.3,0.1,1.9,0.1,0.1,200.2,0.0,0.7,0.1,0.1,0.0,891.6,375.9,1.6,0.1,2.2,1.5,332.8,0.1,0.0,1.9,0.0,1.6,1.6,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 348.4,0.1,2.6,311.3,0.1,1.9,0.1,0.1,200.2,0.0,0.7,0.1,0.1,0.0,891.6,375.9,1.6,0.1,2.2,1.5,332.8,0.1,0.0,1.9,0.0,1.6,1.6]
                    [PKTLENS.....: 278,386,1506,11586,1506,4386,2946,13026,7266,1506,1506,1506,1506,2946,2946,1506,4605,278,388,21666,2946,10146,11586,17346,7266,18786,5826,20226,1506,10146,11586,21666]
               new: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [MIDSTREAM] 
          detected: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [HTTP.1kxun][Streaming][Fun]
@@ -632,7 +632,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12]
                    [DIRECTIONS..: 0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 380.4,4.6,408.6,215.7,0.5,1.0,1.0,178.5,0.3,0.5,379.6,185.4,1.4,0.7,331.7,5.7,174.2,6.1,0.3,0.9,170.5,0.4,6.0,1.1,0.3,0.7,169.5,0.5,0.6,5.3,0.4,0.0]
+                   [IATS(ms)....: 380.4,4.6,408.6,215.7,0.5,1.0,1.0,178.5,0.3,0.5,379.6,185.4,1.4,0.7,331.7,5.7,174.2,6.1,0.3,0.9,170.5,0.4,6.0,1.1,0.3,0.7,169.5,0.5,0.6,5.3,0.4]
                    [PKTLENS.....: 831,1506,1267,502,1506,1506,7266,4386,1506,1506,2518,490,2946,8706,1506,2946,8706,2946,1506,1506,7266,1506,1506,2946,1506,1506,2946,1506,1506,2946,1506,1506]
               new: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [MIDSTREAM] 
          detected: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [HTTP.Tencent][SocialNetwork][Acceptable]
@@ -660,7 +660,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 207.0,0.4,1.1,0.7,203.5,0.4,0.5,0.8,0.4,1.2,0.6,204.0,0.5,1.9,0.8,831.8,413.6,1.5,1.6,0.4,0.9,201.6,0.4,0.6,1.0,0.9,0.4,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 207.0,0.4,1.1,0.7,203.5,0.4,0.5,0.8,0.4,1.2,0.6,204.0,0.5,1.9,0.8,831.8,413.6,1.5,1.6,0.4,0.9,201.6,0.4,0.6,1.0,0.9,0.4]
                    [PKTLENS.....: 592,351,1506,8706,2946,1506,1506,2946,1506,1506,5826,4386,1506,1506,1506,5826,2946,2946,3956,592,351,1506,8706,10146,5826,2946,1506,1506,2946,4386,4386,1506]
  detection-update: [...161] [ip4][..tcp] [..192.168.2.126][49412] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun]
  detection-update: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun]
@@ -671,7 +671,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 216.8,1.3,1.2,217.6,0.4,0.8,0.7,0.8,206.4,3.2,0.7,1.4,202.1,0.5,2.9,0.4,0.4,0.6,0.7,876.5,236.5,0.0,2.1,0.9,206.1,0.4,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 216.8,1.3,1.2,217.6,0.4,0.8,0.7,0.8,206.4,3.2,0.7,1.4,202.1,0.5,2.9,0.4,0.4,0.6,0.7,876.5,236.5,0.0,2.1,0.9,206.1,0.4]
                    [PKTLENS.....: 580,351,1506,4386,1506,5826,1506,1506,1506,1506,1506,2946,1506,4386,2946,2946,8706,1506,1506,1506,1506,1506,1506,1506,1204,592,351,7266,15906,4386,1506,1506]
           analyse: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -680,7 +680,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 223.7,209.6,1.7,207.2,0.4,1.3,0.7,0.5,0.5,1.2,204.0,0.4,1.4,0.7,0.6,3.5,886.9,237.6,0.5,1.0,2.5,0.8,206.7,0.9,0.4,0.9,0.7,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 223.7,209.6,1.7,207.2,0.4,1.3,0.7,0.5,0.5,1.2,204.0,0.4,1.4,0.7,0.6,3.5,886.9,237.6,0.5,1.0,2.5,0.8,206.7,0.9,0.4,0.9,0.7]
                    [PKTLENS.....: 580,2946,1506,1506,11586,1506,1506,2946,1506,1506,1506,7266,1506,1506,1506,1506,4386,1506,2946,4253,592,351,1506,8706,18786,1506,2946,1506,1506,5826,1506,1330]
           analyse: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -689,7 +689,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1]
-                   [IATS(ms)....: 205.6,2.1,0.0,224.8,0.4,0.3,1.4,193.7,0.4,0.4,1.7,1.3,1.9,226.0,899.7,238.0,0.0,2.4,199.2,0.5,1.0,1.3,407.3,371.5,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 205.6,2.1,0.0,224.8,0.4,0.3,1.4,193.7,0.4,0.4,1.7,1.3,1.9,226.0,899.7,238.0,0.0,2.4,199.2,0.5,1.0,1.3,407.3,371.5,1.5]
                    [PKTLENS.....: 580,351,1506,4386,2946,4386,1506,1506,1506,1506,5826,1506,1506,1506,2946,4386,5826,3732,592,351,7266,15906,1506,1506,7266,1506,5826,654,580,351,7801,18786]
               new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] 
          detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Web][Acceptable]
@@ -710,7 +710,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1]
-                   [IATS(ms)....: 188.5,0.0,1.4,179.4,1.4,0.7,0.4,2.4,0.7,270.1,0.1,0.6,3892.8,3428.9,186.1,186.3,192.6,209.0,367.2,352.3,5253.8,5339.0,3.6,6045.0,5959.1,0.4,0.5,194.9,189.4,0.0,0.0,0.0]
+                   [IATS(ms)....: 188.5,0.0,1.4,179.4,1.4,0.7,0.4,2.4,0.7,270.1,0.1,0.6,3892.8,3428.9,186.1,186.3,192.6,209.0,367.2,352.3,5253.8,5339.0,3.6,6045.0,5959.1,0.4,0.5,194.9,189.4]
                    [PKTLENS.....: 500,2946,2946,8706,2946,7266,1506,1506,14466,1506,2946,2946,7266,7266,4092,817,709,819,1525,821,1415,817,1530,1079,2946,1144,1169,1506,1506,1589,1180,1097]
               new: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [MIDSTREAM] 
          detected: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun]
@@ -725,7 +725,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1]
-                   [IATS(ms)....: 353.7,3.8,0.1,303.7,4.3,0.1,205.8,0.1,881.0,368.9,0.0,5.1,392.9,352.2,1.6,0.1,2.3,0.1,1.5,285.7,2.1,39119.7,38675.2,0.0,2.9,335.4,3.7,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 353.7,3.8,0.1,303.7,4.3,0.1,205.8,0.1,881.0,368.9,0.0,5.1,392.9,352.2,1.6,0.1,2.3,0.1,1.5,285.7,2.1,39119.7,38675.2,0.0,2.9,335.4,3.7]
                    [PKTLENS.....: 278,386,1506,1506,10146,2946,2946,23106,1506,1506,1172,273,386,18786,7757,278,387,1506,21666,4386,17346,4386,10146,5826,1506,5159,273,388,1506,11586,2946,2946]
           analyse: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -734,7 +734,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 326.1,0.2,328.8,0.2,2.7,177.6,0.5,1.3,2.9,0.1,0.2,0.8,2.3,401.3,1361.5,293.5,0.0,1.1,2.1,2.8,0.1,0.2,2.8,309.6,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 326.1,0.2,328.8,0.2,2.7,177.6,0.5,1.3,2.9,0.1,0.2,0.8,2.3,401.3,1361.5,293.5,0.0,1.1,2.1,2.8,0.1,0.2,2.8,309.6,1.5]
                    [PKTLENS.....: 273,388,1506,1506,2946,7266,1506,8706,2946,15906,1506,1506,4386,13026,8706,2946,1506,15906,13200,273,388,1506,5826,15906,11586,10146,4386,14466,2946,2946,13026,4386]
               new: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [MIDSTREAM] 
          detected: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [HTTP][Web][Acceptable]
@@ -778,7 +778,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 14.9,0.6,0.6,2.5,3.6,0.1,0.9,2.5,9.2,0.0,0.1,6.5,0.1,1.6,3.0,1.6,0.1,1.5,0.1,0.1,2.8,6.5,3.1,2.4,1.8,2.8,0.1,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 14.9,0.6,0.6,2.5,3.6,0.1,0.9,2.5,9.2,0.0,0.1,6.5,0.1,1.6,3.0,1.6,0.1,1.5,0.1,0.1,2.8,6.5,3.1,2.4,1.8,2.8,0.1]
                    [PKTLENS.....: 249,797,1494,2922,4350,4350,4350,4350,2922,1494,4350,4350,2922,4350,4350,2922,4350,5778,5778,5778,5778,4350,5778,1494,5778,4350,2922,7206,4350,7206,7206,2922]
  detection-update: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable]
           analyse: [...185] [ip4][..tcp] [..192.168.2.126][36640] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable]
@@ -788,7 +788,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 21.0,0.2,0.1,3.1,1.7,3.1,15.8,2.2,2.0,2.7,0.1,1.5,0.6,2.9,1.6,1.5,0.1,0.1,3.5,1.6,2.8,10.5,1.4,0.1,1.6,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 21.0,0.2,0.1,3.1,1.7,3.1,15.8,2.2,2.0,2.7,0.1,1.5,0.6,2.9,1.6,1.5,0.1,0.1,3.5,1.6,2.8,10.5,1.4,0.1,1.6]
                    [PKTLENS.....: 563,1494,1494,2922,1494,2922,1494,4350,4350,4350,2922,1494,4350,1494,4350,4350,4350,5778,5778,4350,1494,1494,1494,4350,5778,5778,3214,4202,5590,1538,5778,5778]
               new: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [MIDSTREAM] 
          detected: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP.AmazonAWS][Cloud][Acceptable]
diff --git a/test/results/flow-info/443-curl.pcap.out b/test/results/flow-info/443-curl.pcap.out
index 287a58ed9..bd98c00f4 100644
--- a/test/results/flow-info/443-curl.pcap.out
+++ b/test/results/flow-info/443-curl.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 38.7,38.8,9.6,47.6,2.8,1.1,0.0,41.9,0.0,11.8,50.9,0.0,39.1,0.0,0.7,0.0,0.0,0.1,0.1,38.5,8.9,46.6,784.1,784.0,0.4,0.1,0.5,0.1,0.1,0.2,0.2,0.0]
+                   [IATS(ms)....: 38.7,38.8,9.6,47.6,2.8,1.1,0.0,41.9,0.0,11.8,50.9,0.0,39.1,0.0,0.7,0.0,0.0,0.1,0.1,38.5,8.9,46.6,784.1,784.0,0.4,0.1,0.5,0.1,0.1,0.2,0.2]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,197,66,66,192,117,123,66,66,119,122,108,133,104,66,104,66,281,66,1506,1506,66,1506,1062,66,1506]
               end: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/443-firefox.pcap.out b/test/results/flow-info/443-firefox.pcap.out
index 63e6795bc..95be754d9 100644
--- a/test/results/flow-info/443-firefox.pcap.out
+++ b/test/results/flow-info/443-firefox.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 38.5,38.6,1.8,40.0,4.1,0.1,0.0,42.3,0.0,2.1,40.7,0.0,38.7,0.0,193.8,0.1,0.2,231.1,10.0,47.0,1655.7,0.1,1655.7,0.2,0.0,0.2,0.2,0.1,0.3,0.1,0.2,0.0]
+                   [IATS(ms)....: 38.5,38.6,1.8,40.0,4.1,0.1,0.0,42.3,0.0,2.1,40.7,0.0,38.7,0.0,193.8,0.1,0.2,231.1,10.0,47.0,1655.7,0.1,1655.7,0.2,0.0,0.2,0.2,0.1,0.3,0.1,0.2]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,140,66,66,151,332,115,66,66,235,312,96,66,96,66,1506,1506,66,1506,1030,66,1506,1506,66,1506,1030]
               end: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/443-git.pcap.out b/test/results/flow-info/443-git.pcap.out
index 42dca0d51..618ef736f 100644
--- a/test/results/flow-info/443-git.pcap.out
+++ b/test/results/flow-info/443-git.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0]
-                   [IATS(ms)....: 110.5,110.6,6.6,119.4,0.0,0.0,112.8,0.0,11.1,124.0,112.9,0.6,143.5,0.0,142.9,0.0,6.5,0.0,0.0,6.5,0.0,0.0,0.1,0.1,1.2,0.0,1.3,0.0,0.2,0.0,0.2,0.0]
+                   [IATS(ms)....: 110.5,110.6,6.6,119.4,0.0,0.0,112.8,0.0,11.1,124.0,112.9,0.6,143.5,0.0,142.9,0.0,6.5,0.0,0.0,6.5,0.0,0.0,0.1,0.1,1.2,0.0,1.3,0.0,0.2,0.0,0.2]
                    [PKTLENS.....: 78,74,66,583,1490,1490,768,66,66,192,117,66,273,437,140,66,66,100,358,99,66,66,66,164,66,1465,622,66,66,1465,486,66]
               end: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/443-opvn.pcap.out b/test/results/flow-info/443-opvn.pcap.out
index d155d1be6..7522dc10e 100644
--- a/test/results/flow-info/443-opvn.pcap.out
+++ b/test/results/flow-info/443-opvn.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 21.6,21.7,1053.8,1075.1,1.0,22.2,0.3,57.4,57.1,21.2,11.8,33.0,0.2,0.2,20.6,20.5,9.1,0.0,20.0,11.3,22.2,20.0,20.0,0.2,21.4,21.2,0.1,58.6,1160.7,1122.5,1.3,0.0]
+                   [IATS(ms)....: 21.6,21.7,1053.8,1075.1,1.0,22.2,0.3,57.4,57.1,21.2,11.8,33.0,0.2,0.2,20.6,20.5,9.1,0.0,20.0,11.3,22.2,20.0,20.0,0.2,21.4,21.2,0.1,58.6,1160.7,1122.5,1.3]
                    [PKTLENS.....: 78,74,66,110,66,122,66,118,66,387,66,1236,66,1506,118,69,118,1506,863,66,118,66,173,66,619,382,66,118,66,152,66,118]
               end: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/443-safari.pcap.out b/test/results/flow-info/443-safari.pcap.out
index dec6249aa..064487eaf 100644
--- a/test/results/flow-info/443-safari.pcap.out
+++ b/test/results/flow-info/443-safari.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 38.2,38.3,1.1,39.8,4.1,0.1,0.0,42.8,0.0,225.7,264.3,0.0,38.7,0.0,1.6,0.0,0.0,0.0,0.1,40.0,0.0,9.9,48.2,695.6,0.1,695.6,0.1,0.1,0.1,0.1,0.1,0.0]
+                   [IATS(ms)....: 38.2,38.3,1.1,39.8,4.1,0.1,0.0,42.8,0.0,225.7,264.3,0.0,38.7,0.0,1.6,0.0,0.0,0.0,0.1,40.0,0.0,9.9,48.2,695.6,0.1,695.6,0.1,0.1,0.1,0.1,0.1]
                    [PKTLENS.....: 78,74,66,299,66,1506,1506,168,66,66,151,109,115,66,66,111,108,100,394,96,66,66,96,66,1506,1506,66,1506,66,1030,66,1506]
              idle: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/6in4tunnel.pcap.out b/test/results/flow-info/6in4tunnel.pcap.out
index a678d614d..c43599320 100644
--- a/test/results/flow-info/6in4tunnel.pcap.out
+++ b/test/results/flow-info/6in4tunnel.pcap.out
@@ -9,7 +9,7 @@
                    [BINS(c->s)..: 0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 104.8,780.1,221.1,1000.5,1001.7,1001.1,1001.7,1005.1,1001.1,1000.8,1001.1,1001.1,1001.4,999.9,1001.9,1003.1,365.4,1.1,349.0,4.1,96.7,99.1,95.7,0.8,97.9,1.0,0.1,98.1,0.1,8.8,0.5,0.0]
+                   [IATS(ms)....: 104.8,780.1,221.1,1000.5,1001.7,1001.1,1001.7,1005.1,1001.1,1000.8,1001.1,1001.1,1001.4,999.9,1001.9,1003.1,365.4,1.1,349.0,4.1,96.7,99.1,95.7,0.8,97.9,1.0,0.1,98.1,0.1,8.8,0.5]
                    [PKTLENS.....: 138,138,200,138,138,138,138,138,138,138,138,138,138,138,138,138,138,133,133,273,261,114,114,106,310,106,1504,1911,106,106,268,159]
      not-detected: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] [Unknown][Unrated]
              idle: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] [Unknown][Unrated]
diff --git a/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
index 0631f18ac..769222cd2 100644
--- a/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
+++ b/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
@@ -16,7 +16,7 @@
                    [BINS(c->s)..: 0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1]
-                   [IATS(ms)....: 0.1,2.6,0.1,4369.7,0.2,4369.4,0.1,4370.2,0.1,4370.2,0.1,4369.9,0.1,4370.1,0.3,4370.0,0.1,4369.4,0.1,3508.4,3524.3,204.4,193.0,657.5,0.0,652.5,0.2,4369.7,0.1,4370.2,0.6,0.0]
+                   [IATS(ms)....: 0.1,2.6,0.1,4369.7,0.2,4369.4,0.1,4370.2,0.1,4370.2,0.1,4369.9,0.1,4370.1,0.3,4370.0,0.1,4369.4,0.1,3508.4,3524.3,204.4,193.0,657.5,0.0,652.5,0.2,4369.7,0.1,4370.2,0.6]
                    [PKTLENS.....: 87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,376,414,94,101,88,88,293,165,88,88,293,165]
               new: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] 
          detected: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] [RTP][Media][Acceptable]
@@ -27,7 +27,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 20.8,19.1,39.5,1.4,20.0,20.0,19.3,20.5,19.6,19.9,21.0,20.3,18.5,20.4,19.7,19.9,20.4,20.2,19.7,20.4,19.3,20.5,20.1,20.0,19.6,20.0,19.9,20.3,20.2,19.8,20.0,0.0]
+                   [IATS(ms)....: 20.8,19.1,39.5,1.4,20.0,20.0,19.3,20.5,19.6,19.9,21.0,20.3,18.5,20.4,19.7,19.9,20.4,20.2,19.7,20.4,19.3,20.5,20.1,20.0,19.6,20.0,19.9,20.3,20.2,19.8,20.0]
                    [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]
            update: [.....1] [ip4][..udp] [....10.35.40.22][.2944] -> [.....10.23.1.42][.2944] [Megaco][VoIP][Acceptable]
           analyse: [.....3] [ip4][..udp] [....10.35.40.25][.5060] -> [...10.35.40.200][.5060] [SIP][VoIP][Acceptable]
@@ -37,7 +37,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 1.4,6.0,0.3,162.7,0.4,6673.1,0.7,6843.3,0.4,2041.5,0.8,2040.7,0.3,12.4,0.7,131.8,0.4,27628.4,0.4,27585.5,0.5,6913.8,0.7,6841.3,0.3,84.0,0.4,88.1,0.4,19.8,1.0,0.0]
+                   [IATS(ms)....: 1.4,6.0,0.3,162.7,0.4,6673.1,0.7,6843.3,0.4,2041.5,0.8,2040.7,0.3,12.4,0.7,131.8,0.4,27628.4,0.4,27585.5,0.5,6913.8,0.7,6841.3,0.3,84.0,0.4,88.1,0.4,19.8,1.0]
                    [PKTLENS.....: 919,919,304,304,488,488,825,825,452,452,894,894,425,425,793,793,493,493,460,460,572,572,846,846,364,364,475,475,452,452,923,923]
            update: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] [SIP][VoIP][Acceptable]
            update: [.....2] [ip4][..udp] [....10.35.60.72][.5060] -> [...10.35.60.100][.5060] [SIP][VoIP][Acceptable]
diff --git a/test/results/flow-info/KakaoTalk_chat.pcap.out b/test/results/flow-info/KakaoTalk_chat.pcap.out
index b07ae5283..516ed1dbd 100644
--- a/test/results/flow-info/KakaoTalk_chat.pcap.out
+++ b/test/results/flow-info/KakaoTalk_chat.pcap.out
@@ -109,7 +109,7 @@
                    [BINS(c->s)..: 10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1]
-                   [IATS(ms)....: 37.0,40.3,0.3,47.7,4.0,72.1,0.7,124.0,0.2,15.9,0.7,16.6,0.2,12.2,67.2,36.0,15.8,0.7,105.9,38.1,60.4,4.5,0.1,3.9,174.3,67.7,16.8,17.0,108.5,0.7,81.1,0.0]
+                   [IATS(ms)....: 37.0,40.3,0.3,47.7,4.0,72.1,0.7,124.0,0.2,15.9,0.7,16.6,0.2,12.2,67.2,36.0,15.8,0.7,105.9,38.1,60.4,4.5,0.1,3.9,174.3,67.7,16.8,17.0,108.5,0.7,81.1]
                    [PKTLENS.....: 76,60,56,621,60,56,1336,174,56,56,1336,949,56,56,1053,56,314,113,101,56,56,109,846,103,93,101,56,477,56,56,56,56]
               new: [....31] [ip4][..tcp] [...10.24.82.188][42332] -> [.210.103.240.15][..443] [MIDSTREAM] 
               new: [....32] [ip4][..tcp] [...10.24.82.188][37557] -> [....31.13.68.84][...80] 
@@ -124,7 +124,7 @@
                    [BINS(c->s)..: 11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0]
-                   [IATS(ms)....: 995.9,1037.9,49.3,6.7,695.5,683.6,56.0,2329.9,2320.4,251.6,299.0,4.5,4.4,4.1,3.7,105.5,239.4,242.2,376.5,82.6,125.8,244.5,287.3,18.1,164.6,239.0,428.1,146.0,274.1,3803.0,24.7,0.0]
+                   [IATS(ms)....: 995.9,1037.9,49.3,6.7,695.5,683.6,56.0,2329.9,2320.4,251.6,299.0,4.5,4.4,4.1,3.7,105.5,239.4,242.2,376.5,82.6,125.8,244.5,287.3,18.1,164.6,239.0,428.1,146.0,274.1,3803.0,24.7]
                    [PKTLENS.....: 76,76,60,56,240,60,56,60,240,56,1336,56,1336,56,1043,56,178,56,103,56,710,56,85,56,358,56,99,56,196,56,83,132]
  detection-update: [....15] [ip4][..tcp] [...10.24.82.188][35503] -> [...173.252.97.2][..443] [TLS.Facebook][SocialNetwork][Fun]
                    RISK: Obsolete TLS (v1.1 or older)
@@ -152,7 +152,7 @@
                    [BINS(c->s)..: 10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 41.7,45.8,2.2,39.5,11.3,448.4,0.2,2.9,498.7,0.2,0.1,36.9,124.2,229.9,322.0,23.0,161.8,229.9,405.3,0.2,57.4,108.2,76.0,156.0,245.1,68.0,69.5,26937.8,56.9,27030.7,8.1,0.0]
+                   [IATS(ms)....: 41.7,45.8,2.2,39.5,11.3,448.4,0.2,2.9,498.7,0.2,0.1,36.9,124.2,229.9,322.0,23.0,161.8,229.9,405.3,0.2,57.4,108.2,76.0,156.0,245.1,68.0,69.5,26937.8,56.9,27030.7,8.1]
                    [PKTLENS.....: 76,60,56,240,60,56,1336,1336,1043,56,56,56,178,56,103,56,578,56,85,56,215,328,56,56,94,56,85,56,83,132,56,56]
            update: [....19] [ip4][.icmp] [...10.24.82.188] -> [...10.188.191.1] [ICMP][Network][Acceptable]
               new: [....38] [ip4][..tcp] [...10.24.82.188][58964] -> [.54.255.253.199][.5223] 
diff --git a/test/results/flow-info/KakaoTalk_talk.pcap.out b/test/results/flow-info/KakaoTalk_talk.pcap.out
index 90ef3ea7c..2115cde19 100644
--- a/test/results/flow-info/KakaoTalk_talk.pcap.out
+++ b/test/results/flow-info/KakaoTalk_talk.pcap.out
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1]
-                   [IATS(ms)....: 2.1,0.1,91.3,0.2,98.3,0.1,103.5,389.0,99.4,0.2,41.7,34.1,94.1,1.2,99.9,98.5,32.0,72.3,100.1,1.0,27.9,87.8,99.7,0.0,76.1,16.1,99.2,84.2,99.9,1.1,113.1,0.0]
+                   [IATS(ms)....: 2.1,0.1,91.3,0.2,98.3,0.1,103.5,389.0,99.4,0.2,41.7,34.1,94.1,1.2,99.9,98.5,32.0,72.3,100.1,1.0,27.9,87.8,99.7,0.0,76.1,16.1,99.2,84.2,99.9,1.1,113.1]
                    [PKTLENS.....: 100,99,99,99,99,99,99,99,123,99,99,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99]
           analyse: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Media][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -48,7 +48,7 @@
                    [BINS(c->s)..: 0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1]
-                   [IATS(ms)....: 36.1,39.2,140.3,102.0,35.2,98.1,7.9,55.8,42.0,93.4,6.8,89.9,91.8,48.2,40.2,100.1,12.0,81.5,89.4,7.0,84.1,40.7,87.7,54.9,38.8,107.9,4.2,87.6,68.5,32.3,143.9,0.0]
+                   [IATS(ms)....: 36.1,39.2,140.3,102.0,35.2,98.1,7.9,55.8,42.0,93.4,6.8,89.9,91.8,48.2,40.2,100.1,12.0,81.5,89.4,7.0,84.1,40.7,87.7,54.9,38.8,107.9,4.2,87.6,68.5,32.3,143.9]
                    [PKTLENS.....: 123,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,166,141,99]
               new: [....14] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [MIDSTREAM] 
          detected: [....14] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [TLS.Google][Web][Acceptable]
@@ -61,7 +61,7 @@
                    [BINS(c->s)..: 8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0]
-                   [IATS(ms)....: 141.6,151.9,11.8,244.9,5.7,231.7,5.3,268.9,267.9,260.5,295.7,6066.9,6069.5,2.3,183.7,177.4,76.0,36.6,148.1,8359.6,8676.0,4.5,469.8,147.4,147.1,2.6,694.9,724.2,479.8,20336.8,1138.4,0.0]
+                   [IATS(ms)....: 141.6,151.9,11.8,244.9,5.7,231.7,5.3,268.9,267.9,260.5,295.7,6066.9,6069.5,2.3,183.7,177.4,76.0,36.6,148.1,8359.6,8676.0,4.5,469.8,147.4,147.1,2.6,694.9,724.2,479.8,20336.8,1138.4]
                    [PKTLENS.....: 76,76,68,210,68,920,68,394,302,814,574,68,782,68,238,366,68,68,238,68,254,68,238,68,366,68,238,238,68,80,254,254]
           analyse: [.....8] [ip4][..tcp] [...10.24.82.188][58857] -> [..110.76.143.50][.9001] [TLS.KakaoTalk][Chat][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -70,7 +70,7 @@
                    [BINS(c->s)..: 9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1]
-                   [IATS(ms)....: 148.0,148.3,14.4,196.3,3.7,185.6,22.2,228.4,215.7,291.7,316.8,4536.4,4872.6,301.5,147.9,147.9,122.3,336.2,8596.6,8810.7,73.7,557.6,700.9,602.5,20472.0,917.8,21237.1,519.3,0.3,0.2,1054.3,0.0]
+                   [IATS(ms)....: 148.0,148.3,14.4,196.3,3.7,185.6,22.2,228.4,215.7,291.7,316.8,4536.4,4872.6,301.5,147.9,147.9,122.3,336.2,8596.6,8810.7,73.7,557.6,700.9,602.5,20472.0,917.8,21237.1,519.3,0.3,0.2,1054.3]
                    [PKTLENS.....: 76,76,68,210,68,920,68,394,302,766,734,68,862,846,68,366,68,238,68,366,68,238,238,68,80,254,254,430,68,68,68,80]
               new: [....17] [ip4][..tcp] [173.194.117.229][..443] -> [...10.24.82.188][38380] [MIDSTREAM] 
               new: [....18] [ip4][..tcp] [.173.252.88.128][..443] -> [...10.24.82.188][59912] [MIDSTREAM] 
diff --git a/test/results/flow-info/Oscar.pcap.out b/test/results/flow-info/Oscar.pcap.out
index 09a17056f..60a7e57ae 100644
--- a/test/results/flow-info/Oscar.pcap.out
+++ b/test/results/flow-info/Oscar.pcap.out
@@ -9,7 +9,7 @@
                    [BINS(c->s)..: 11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 28.7,28.8,8.9,42.4,33.5,0.5,0.5,0.1,33.5,33.4,0.3,33.6,0.8,34.1,0.2,44.6,44.3,32.8,32.8,0.2,0.1,0.3,31.3,31.1,58175.5,58215.2,0.0,39.6,1457.4,1490.1,502.6,0.0]
+                   [IATS(ms)....: 28.7,28.8,8.9,42.4,33.5,0.5,0.5,0.1,33.5,33.4,0.3,33.6,0.8,34.1,0.2,44.6,44.3,32.8,32.8,0.2,0.1,0.3,31.3,31.1,58175.5,58215.2,0.0,39.6,1457.4,1490.1,502.6]
                    [PKTLENS.....: 78,60,54,369,64,54,619,54,106,144,54,70,1414,351,54,80,60,166,511,54,284,54,266,60,349,90,60,92,54,92,60,90]
           guessed: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe]
          detected: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/WebattackXSS.pcap.out b/test/results/flow-info/WebattackXSS.pcap.out
index fd95c248d..a891c05a6 100644
--- a/test/results/flow-info/WebattackXSS.pcap.out
+++ b/test/results/flow-info/WebattackXSS.pcap.out
@@ -20,7 +20,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 0.1,0.9,0.0,0.9,1.5,2.3,23.6,26.5,34.2,32.2,1.1,1.0,0.2,0.9,0.2,0.4,39.8,69.9,111.2,1.1,61.6,62.7,1.1,842.7,846.6,3.8,131.7,132.7,1.1,2804.2,2805.2,0.0]
+                   [IATS(ms)....: 0.1,0.9,0.0,0.9,1.5,2.3,23.6,26.5,34.2,32.2,1.1,1.0,0.2,0.9,0.2,0.4,39.8,69.9,111.2,1.1,61.6,62.7,1.1,842.7,846.6,3.8,131.7,132.7,1.1,2804.2,2805.2]
                    [PKTLENS.....: 74,74,66,375,66,578,66,408,1198,431,807,454,1514,7992,66,66,66,66,377,571,66,407,571,66,625,429,66,423,587,66,66,66]
               new: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] 
          detected: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable]
@@ -35,7 +35,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0]
-                   [IATS(ms)....: 0.2,0.9,0.0,0.9,1.5,2.1,20.7,25.9,42.5,6.0,44.4,1.3,0.2,1.3,0.1,0.1,1.2,0.3,0.4,68.6,70.5,37.8,60.4,98.3,1.1,851.7,856.3,4.6,109.7,139.3,29.5,0.0]
+                   [IATS(ms)....: 0.2,0.9,0.0,0.9,1.5,2.1,20.7,25.9,42.5,6.0,44.4,1.3,0.2,1.3,0.1,0.1,1.2,0.3,0.4,68.6,70.5,37.8,60.4,98.3,1.1,851.7,856.3,4.6,109.7,139.3,29.5]
                    [PKTLENS.....: 74,74,66,375,66,578,66,408,1200,66,431,807,66,454,4410,4410,752,66,66,66,377,571,66,407,571,66,625,429,66,449,1870,66]
          detected: [....10] [ip4][..tcp] [.....172.16.0.1][52300] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable]
                    RISK: HTTP Numeric IP Address
@@ -84,7 +84,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.8,3808.1,3808.9,3.1,3.9,1010.4,1014.2,3.8,247.0,250.6,3.6,1037.9,1041.6,3.8,265.4,269.2,3.7,1020.1,1024.5,4.4,240.9,244.6,3.7,1033.1,1036.8,3.7,252.8,256.5,3.7,1006.2,0.0]
+                   [IATS(ms)....: 0.1,0.8,3808.1,3808.9,3.1,3.9,1010.4,1014.2,3.8,247.0,250.6,3.6,1037.9,1041.6,3.8,265.4,269.2,3.7,1020.1,1024.5,4.4,240.9,244.6,3.7,1033.1,1036.8,3.7,252.8,256.5,3.7,1006.2]
                    [PKTLENS.....: 74,74,66,651,66,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]
               new: [....47] [ip4][..tcp] [.....172.16.0.1][53018] -> [..192.168.10.50][...80] 
               new: [....48] [ip4][..tcp] [.....172.16.0.1][53032] -> [..192.168.10.50][...80] 
@@ -149,7 +149,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.7,4897.8,4898.5,8.6,9.4,243.2,246.7,3.6,1041.2,1044.8,3.8,241.2,245.3,4.0,1005.5,1009.5,4.0,241.0,244.6,3.6,1008.9,1012.5,3.7,268.3,273.7,5.3,1005.6,1009.6,4.1,266.0,0.0]
+                   [IATS(ms)....: 0.1,0.7,4897.8,4898.5,8.6,9.4,243.2,246.7,3.6,1041.2,1044.8,3.8,241.2,245.3,4.0,1005.5,1009.5,4.0,241.0,244.6,3.6,1008.9,1012.5,3.7,268.3,273.7,5.3,1005.6,1009.6,4.1,266.0]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651]
               end: [....10] [ip4][..tcp] [.....172.16.0.1][52300] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable]
                    RISK: HTTP Numeric IP Address
@@ -273,7 +273,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.9,3826.3,3827.2,3.1,3.9,1023.0,1026.9,3.9,268.2,273.7,5.4,1005.2,1009.2,4.0,256.2,259.9,3.6,1006.9,1010.6,3.7,250.1,253.8,3.8,1011.3,1016.1,4.8,241.0,244.7,3.6,1020.5,0.0]
+                   [IATS(ms)....: 0.1,0.9,3826.3,3827.2,3.1,3.9,1023.0,1026.9,3.9,268.2,273.7,5.4,1005.2,1009.2,4.0,256.2,259.9,3.6,1006.9,1010.6,3.7,250.1,253.8,3.8,1011.3,1016.1,4.8,241.0,244.7,3.6,1020.5]
                    [PKTLENS.....: 74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1931,66,449]
               new: [...120] [ip4][..tcp] [.....172.16.0.1][54376] -> [..192.168.10.50][...80] 
               new: [...121] [ip4][..tcp] [.....172.16.0.1][54390] -> [..192.168.10.50][...80] 
@@ -392,7 +392,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.7,3641.9,3642.6,3.1,4.1,234.1,238.5,4.2,1006.1,1011.0,4.9,233.1,236.8,3.8,1005.6,1010.7,5.0,236.2,239.8,3.6,1006.8,1010.5,3.7,232.6,236.3,3.6,1034.9,1038.9,4.1,256.3,0.0]
+                   [IATS(ms)....: 0.1,0.7,3641.9,3642.6,3.1,4.1,234.1,238.5,4.2,1006.1,1011.0,4.9,233.1,236.8,3.8,1005.6,1010.7,5.0,236.2,239.8,3.6,1006.8,1010.5,3.7,232.6,236.3,3.6,1034.9,1038.9,4.1,256.3]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1929,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651]
               new: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] 
               new: [...159] [ip4][..tcp] [.....172.16.0.1][55078] -> [..192.168.10.50][...80] 
@@ -507,7 +507,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.9,3784.1,3784.9,3.1,3.8,1004.0,1007.6,3.7,223.7,227.4,3.7,1007.8,1011.6,3.8,255.8,259.5,3.6,1007.9,1012.0,4.2,230.4,234.8,4.3,1037.5,1041.9,4.5,238.3,242.0,3.7,1009.9,0.0]
+                   [IATS(ms)....: 0.1,0.9,3784.1,3784.9,3.1,3.8,1004.0,1007.6,3.7,223.7,227.4,3.7,1007.8,1011.6,3.8,255.8,259.5,3.6,1007.9,1012.0,4.2,230.4,234.8,4.3,1037.5,1041.9,4.5,238.3,242.0,3.7,1009.9]
                    [PKTLENS.....: 74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449]
               new: [...196] [ip4][..tcp] [.....172.16.0.1][55740] -> [..192.168.10.50][...80] 
           guessed: [...117] [ip4][..tcp] [.....172.16.0.1][54322] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable]
@@ -639,7 +639,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 0.1,0.7,4804.7,4805.4,3.1,3.8,248.6,252.2,3.7,1022.4,1026.2,3.8,225.2,229.2,0.0,4.0,1026.8,1030.9,4.2,232.5,236.2,0.1,3.6,1006.0,1010.7,4.8,233.2,236.8,3.6,1008.0,1011.7,0.0]
+                   [IATS(ms)....: 0.1,0.7,4804.7,4805.4,3.1,3.8,248.6,252.2,3.7,1022.4,1026.2,3.8,225.2,229.2,0.0,4.0,1026.8,1030.9,4.2,232.5,236.2,0.1,3.6,1006.0,1010.7,4.8,233.2,236.8,3.6,1008.0,1011.7]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1514,486,66,449,1836,66,651,1514,486,66,449,1836,66,651,1934,66,449,1836]
               new: [...233] [ip4][..tcp] [.....172.16.0.1][56414] -> [..192.168.10.50][...80] 
               new: [...234] [ip4][..tcp] [.....172.16.0.1][56428] -> [..192.168.10.50][...80] 
@@ -761,7 +761,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.9,3818.1,3819.0,2.9,3.6,1026.8,1031.2,4.4,231.9,235.6,3.8,1007.0,1010.7,3.8,236.2,239.9,3.6,1008.9,1012.8,4.2,228.6,232.8,4.0,1040.9,1048.3,7.4,251.6,255.2,3.6,1017.7,0.0]
+                   [IATS(ms)....: 0.1,0.9,3818.1,3819.0,2.9,3.6,1026.8,1031.2,4.4,231.9,235.6,3.8,1007.0,1010.7,3.8,236.2,239.9,3.6,1008.9,1012.8,4.2,228.6,232.8,4.0,1040.9,1048.3,7.4,251.6,255.2,3.6,1017.7]
                    [PKTLENS.....: 74,74,66,651,66,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]
               new: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] 
               new: [...273] [ip4][..tcp] [.....172.16.0.1][57130] -> [..192.168.10.50][...80] 
@@ -882,7 +882,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.9,3535.3,3536.2,3.0,3.9,353.5,357.6,4.1,1009.5,1013.5,4.1,235.9,239.6,3.7,1007.5,1011.2,3.7,236.1,239.8,3.7,1007.6,1011.4,3.8,240.9,244.7,3.7,1011.7,1015.5,3.8,232.1,0.0]
+                   [IATS(ms)....: 0.1,0.9,3535.3,3536.2,3.0,3.9,353.5,357.6,4.1,1009.5,1013.5,4.1,235.9,239.6,3.7,1007.5,1011.2,3.7,236.1,239.8,3.7,1007.6,1011.4,3.8,240.9,244.7,3.7,1011.7,1015.5,3.8,232.1]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]
               new: [...310] [ip4][..tcp] [.....172.16.0.1][57792] -> [..192.168.10.50][...80] 
               new: [...311] [ip4][..tcp] [.....172.16.0.1][57806] -> [..192.168.10.50][...80] 
@@ -1017,7 +1017,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.7,3808.9,3809.5,3.4,4.1,1007.1,1011.3,4.3,225.9,229.5,3.8,1021.8,1025.8,4.1,234.0,238.5,4.5,1006.3,1010.7,4.3,238.5,243.2,4.5,1006.7,1011.2,4.5,253.5,257.1,3.6,1008.0,0.0]
+                   [IATS(ms)....: 0.1,0.7,3808.9,3809.5,3.4,4.1,1007.1,1011.3,4.3,225.9,229.5,3.8,1021.8,1025.8,4.1,234.0,238.5,4.5,1006.3,1010.7,4.3,238.5,243.2,4.5,1006.7,1011.2,4.5,253.5,257.1,3.6,1008.0]
                    [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449]
               new: [...348] [ip4][..tcp] [.....172.16.0.1][58468] -> [..192.168.10.50][...80] 
               new: [...349] [ip4][..tcp] [.....172.16.0.1][58482] -> [..192.168.10.50][...80] 
@@ -1138,7 +1138,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]
-                   [IATS(ms)....: 0.1,1.1,4821.8,4822.9,2.9,6.0,222.0,227.9,5.0,1.0,1005.0,1011.2,4.1,265.5,269.3,3.6,1019.9,1023.5,4.0,238.2,242.3,4.8,1006.0,1010.7,4.0,237.9,242.4,5.0,1011.0,1016.0,5.0,0.0]
+                   [IATS(ms)....: 0.1,1.1,4821.8,4822.9,2.9,6.0,222.0,227.9,5.0,1.0,1005.0,1011.2,4.1,265.5,269.3,3.6,1019.9,1023.5,4.0,238.2,242.3,4.8,1006.0,1010.7,4.0,237.9,242.4,5.0,1011.0,1016.0,5.0]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1935,66,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66]
               new: [...386] [ip4][..tcp] [.....172.16.0.1][59150] -> [..192.168.10.50][...80] 
               new: [...387] [ip4][..tcp] [.....172.16.0.1][59164] -> [..192.168.10.50][...80] 
@@ -1262,7 +1262,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.7,3766.4,3767.0,3.5,4.2,1039.9,1045.4,5.5,227.3,230.9,3.6,1037.1,1040.9,3.8,252.9,256.6,3.8,1024.0,1027.8,3.7,237.3,241.0,3.6,1007.8,1011.5,3.7,235.0,238.7,3.7,1007.2,0.0]
+                   [IATS(ms)....: 0.1,0.7,3766.4,3767.0,3.5,4.2,1039.9,1045.4,5.5,227.3,230.9,3.6,1037.1,1040.9,3.8,252.9,256.6,3.8,1024.0,1027.8,3.7,237.3,241.0,3.6,1007.8,1011.5,3.7,235.0,238.7,3.7,1007.2]
                    [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449]
               new: [...425] [ip4][..tcp] [.....172.16.0.1][59852] -> [..192.168.10.50][...80] 
               new: [...426] [ip4][..tcp] [.....172.16.0.1][59866] -> [..192.168.10.50][...80] 
@@ -1400,7 +1400,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.9,3581.2,3582.1,3.3,4.1,271.0,275.6,4.6,1007.5,1011.3,3.8,268.9,273.0,4.1,1007.5,1011.6,4.2,263.6,267.5,3.9,1019.8,1023.7,4.0,253.2,261.2,7.9,1002.9,1011.8,8.9,255.9,0.0]
+                   [IATS(ms)....: 0.1,0.9,3581.2,3582.1,3.3,4.1,271.0,275.6,4.6,1007.5,1011.3,3.8,268.9,273.0,4.1,1007.5,1011.6,4.2,263.6,267.5,3.9,1019.8,1023.7,4.0,253.2,261.2,7.9,1002.9,1011.8,8.9,255.9]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1931,66,449,1836,66,651,1934,66,449,1836,66,651]
               new: [...464] [ip4][..tcp] [.....172.16.0.1][60572] -> [..192.168.10.50][...80] 
               new: [...465] [ip4][..tcp] [.....172.16.0.1][60598] -> [..192.168.10.50][...80] 
@@ -1519,7 +1519,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.2,0.9,3861.2,3862.0,3.2,4.0,1007.4,1011.0,3.7,256.9,260.5,3.6,1018.3,1022.0,3.6,243.4,247.0,3.6,1033.5,1037.2,3.7,244.2,248.3,4.1,1037.5,1041.7,4.2,261.5,265.1,3.6,1039.0,0.0]
+                   [IATS(ms)....: 0.2,0.9,3861.2,3862.0,3.2,4.0,1007.4,1011.0,3.7,256.9,260.5,3.6,1018.3,1022.0,3.6,243.4,247.0,3.6,1033.5,1037.2,3.7,244.2,248.3,4.1,1037.5,1041.7,4.2,261.5,265.1,3.6,1039.0]
                    [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1930,66,449,1836,66,651,1935,66,449]
               new: [...502] [ip4][..tcp] [.....172.16.0.1][33028] -> [..192.168.10.50][...80] 
               new: [...503] [ip4][..tcp] [.....172.16.0.1][33042] -> [..192.168.10.50][...80] 
@@ -1642,7 +1642,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.9,4839.8,4840.6,3.7,4.5,263.2,266.8,3.7,1005.3,1009.1,3.8,260.6,264.4,3.8,1025.0,1028.7,3.7,266.1,269.7,3.7,1007.6,1011.9,4.3,260.9,265.1,4.2,1006.7,1010.8,4.2,244.8,0.0]
+                   [IATS(ms)....: 0.1,0.9,4839.8,4840.6,3.7,4.5,263.2,266.8,3.7,1005.3,1009.1,3.8,260.6,264.4,3.8,1025.0,1028.7,3.7,266.1,269.7,3.7,1007.6,1011.9,4.3,260.9,265.1,4.2,1006.7,1010.8,4.2,244.8]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1932,66,449,1836,66,651,1934,66,449,1836,66,651]
               new: [...538] [ip4][..tcp] [.....172.16.0.1][33688] -> [..192.168.10.50][...80] 
               new: [...539] [ip4][..tcp] [.....172.16.0.1][33702] -> [..192.168.10.50][...80] 
@@ -1759,7 +1759,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0]
-                   [IATS(ms)....: 0.2,0.7,2587.7,2588.4,3.7,4.5,1020.5,1024.9,4.4,244.7,248.4,3.7,1042.3,1047.0,4.6,242.3,246.0,3.7,1031.2,1034.9,3.7,241.4,245.1,3.6,0.5,1025.2,1029.3,3.8,251.3,255.5,4.2,0.0]
+                   [IATS(ms)....: 0.2,0.7,2587.7,2588.4,3.7,4.5,1020.5,1024.9,4.4,244.7,248.4,3.7,1042.3,1047.0,4.6,242.3,246.0,3.7,1031.2,1034.9,3.7,241.4,245.1,3.6,0.5,1025.2,1029.3,3.8,251.3,255.5,4.2]
                    [PKTLENS.....: 74,74,66,651,66,1932,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,66,449,1836,66,651,1932,66]
           guessed: [...498] [ip4][..tcp] [.....172.16.0.1][32960] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable]
               end: [...498] [ip4][..tcp] [.....172.16.0.1][32960] -> [..192.168.10.50][...80] 
@@ -1893,7 +1893,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.2,0.9,4896.4,4897.2,3.1,3.9,250.4,254.5,4.1,1006.9,1011.0,4.1,267.3,271.2,3.9,1008.0,1012.0,4.0,246.8,250.4,3.6,1038.7,1042.4,3.7,241.6,245.2,3.6,1046.3,1049.9,3.8,242.0,0.0]
+                   [IATS(ms)....: 0.2,0.9,4896.4,4897.2,3.1,3.9,250.4,254.5,4.1,1006.9,1011.0,4.1,267.3,271.2,3.9,1008.0,1012.0,4.0,246.8,250.4,3.6,1038.7,1042.4,3.7,241.6,245.2,3.6,1046.3,1049.9,3.8,242.0]
                    [PKTLENS.....: 74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]
               new: [...613] [ip4][..tcp] [.....172.16.0.1][35074] -> [..192.168.10.50][...80] 
               new: [...614] [ip4][..tcp] [.....172.16.0.1][35088] -> [..192.168.10.50][...80] 
@@ -2009,7 +2009,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.1,0.7,3953.2,3953.8,3.0,3.8,1020.6,1024.3,3.7,248.2,252.3,4.2,1041.7,1046.0,4.3,255.1,258.8,3.6,1007.1,1010.8,3.7,252.7,256.2,3.6,1010.5,1014.2,3.8,262.9,266.7,3.8,1039.9,0.0]
+                   [IATS(ms)....: 0.1,0.7,3953.2,3953.8,3.0,3.8,1020.6,1024.3,3.7,248.2,252.3,4.2,1041.7,1046.0,4.3,255.1,258.8,3.6,1007.1,1010.8,3.7,252.7,256.2,3.6,1010.5,1014.2,3.8,262.9,266.7,3.8,1039.9]
                    [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449]
               new: [...650] [ip4][..tcp] [.....172.16.0.1][35736] -> [..192.168.10.50][...80] 
               new: [...651] [ip4][..tcp] [.....172.16.0.1][35762] -> [..192.168.10.50][...80] 
diff --git a/test/results/flow-info/aimini-http.pcap.out b/test/results/flow-info/aimini-http.pcap.out
index f1e6005e8..663e4f32b 100644
--- a/test/results/flow-info/aimini-http.pcap.out
+++ b/test/results/flow-info/aimini-http.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 0.5,1.1,0.4,1.0,0.0,0.7,0.1,0.9,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.2,0.0,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.2,0.0,0.1,1.1,0.0,0.0]
+                   [IATS(ms)....: 0.5,1.1,0.4,1.0,0.0,0.7,0.1,0.9,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.2,0.0,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.2,0.0,0.1,1.1,0.0]
                    [PKTLENS.....: 62,62,62,62,60,649,60,649,1514,1514,1514,1514,1514,1514,1514,290,1514,1514,60,1514,1514,60,1514,1514,60,1514,290,60,60,60,1514,1514]
               new: [.....3] [ip4][..tcp] [.....10.101.0.2][28503] -> [.....10.102.0.2][...80] 
          detected: [.....3] [ip4][..tcp] [.....10.101.0.2][28503] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun]
diff --git a/test/results/flow-info/alexa-app.pcapng.out b/test/results/flow-info/alexa-app.pcapng.out
index 7269ea261..f8b26e5b5 100644
--- a/test/results/flow-info/alexa-app.pcapng.out
+++ b/test/results/flow-info/alexa-app.pcapng.out
@@ -128,7 +128,7 @@
                    [BINS(c->s)..: 11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 47.0,53.0,0.3,73.2,0.1,18.9,0.4,0.3,0.4,88.2,0.3,0.7,0.2,8.1,32.8,75.3,63.7,49.4,70.9,0.8,90.5,2.0,0.4,0.5,0.4,0.5,0.7,0.0,5.3,0.3,1.1,0.0]
+                   [IATS(ms)....: 47.0,53.0,0.3,73.2,0.1,18.9,0.4,0.3,0.4,88.2,0.3,0.7,0.2,8.1,32.8,75.3,63.7,49.4,70.9,0.8,90.5,2.0,0.4,0.5,0.4,0.5,0.7,0.0,5.3,0.3,1.1]
                    [PKTLENS.....: 74,74,66,268,66,66,1514,1514,1514,833,66,66,66,66,192,1096,308,66,66,1514,1514,66,1514,1514,1514,464,1514,1126,100,66,66,66]
  detection-update: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable]
  detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable]
@@ -143,7 +143,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0]
-                   [IATS(ms)....: 55.7,59.3,1.4,66.6,0.4,0.1,64.1,4.8,0.3,2.7,66.9,3.1,100.8,8.3,108.4,5.9,66.9,500.8,354.1,941.1,3.0,88.7,111.8,176.5,0.2,64.7,9.2,104.2,1015.9,966.5,45.6,0.0]
+                   [IATS(ms)....: 55.7,59.3,1.4,66.6,0.4,0.1,64.1,4.8,0.3,2.7,66.9,3.1,100.8,8.3,108.4,5.9,66.9,500.8,354.1,941.1,3.0,88.7,111.8,176.5,0.2,64.7,9.2,104.2,1015.9,966.5,45.6]
                    [PKTLENS.....: 74,62,54,261,1514,1514,399,54,54,54,380,60,113,54,1136,60,955,54,1120,1120,60,507,54,1168,60,891,54,54,60,54,60,54]
  detection-update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable]
               new: [....41] [ip4][..tcp] [..172.16.42.216][42129] -> [..72.21.206.135][..443] 
@@ -187,7 +187,7 @@
                    [BINS(c->s)..: 10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 54.2,55.4,0.5,50.3,258.9,520.1,785.3,3.8,0.2,0.1,0.0,60.8,0.3,0.1,0.1,52.1,11.0,287.0,223.9,2.7,139.2,0.2,171.9,179.9,0.1,402.7,22.4,216.5,783.8,835.9,50.5,0.0]
+                   [IATS(ms)....: 54.2,55.4,0.5,50.3,258.9,520.1,785.3,3.8,0.2,0.1,0.0,60.8,0.3,0.1,0.1,52.1,11.0,287.0,223.9,2.7,139.2,0.2,171.9,179.9,0.1,402.7,22.4,216.5,783.8,835.9,50.5]
                    [PKTLENS.....: 74,62,54,259,60,259,259,60,1514,1514,1514,688,54,54,54,54,180,1514,105,482,60,60,480,54,1514,1210,60,357,54,54,60,54]
  detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable]
               new: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] 
@@ -217,7 +217,7 @@
                    [BINS(c->s)..: 4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0]
                    [BINS(s->c)..: 11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0]
-                   [IATS(ms)....: 57.0,58.6,1.8,56.8,4.8,0.1,59.3,0.3,22.9,80.0,5.9,71.8,0.3,0.1,0.6,0.3,0.2,1.4,0.3,0.1,67.8,34.8,23.9,352.1,295.3,0.1,57.7,0.7,60.6,0.1,59.8,0.0]
+                   [IATS(ms)....: 57.0,58.6,1.8,56.8,4.8,0.1,59.3,0.3,22.9,80.0,5.9,71.8,0.3,0.1,0.6,0.3,0.2,1.4,0.3,0.1,67.8,34.8,23.9,352.1,295.3,0.1,57.7,0.7,60.6,0.1,59.8]
                    [PKTLENS.....: 74,62,54,313,60,60,210,54,105,820,60,564,1514,1439,1514,1514,1514,1514,1514,1514,83,60,60,60,1514,60,60,1514,1514,60,60,1514]
               new: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] 
          detected: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable]
@@ -266,7 +266,7 @@
                    [BINS(c->s)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]
                    [BINS(s->c)..: 7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1]
-                   [IATS(ms)....: 52.9,67.2,1.0,63.2,9.6,59.8,0.3,20.9,0.5,0.2,0.2,1.1,0.2,97.5,0.1,7.3,15.9,484.6,0.2,0.2,116.0,306.3,538.3,1116.6,2896.8,0.3,0.2,0.1,0.1,583.2,913.8,0.0]
+                   [IATS(ms)....: 52.9,67.2,1.0,63.2,9.6,59.8,0.3,20.9,0.5,0.2,0.2,1.1,0.2,97.5,0.1,7.3,15.9,484.6,0.2,0.2,116.0,306.3,538.3,1116.6,2896.8,0.3,0.2,0.1,0.1,583.2,913.8]
                    [PKTLENS.....: 74,74,66,583,66,222,66,117,1514,1514,139,1514,1514,1495,66,66,66,66,1514,1514,1223,1223,1514,1514,1514,66,78,78,78,78,66,66]
           analyse: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -275,7 +275,7 @@
                    [BINS(c->s)..: 6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 92.4,95.4,2.4,97.4,1.9,14.1,0.3,0.1,113.4,0.3,0.2,49.6,132.6,83.3,183.9,0.3,326.1,293.1,272.4,0.1,443.7,0.4,0.5,0.0,276.5,199.2,0.5,0.0,0.7,486.1,0.4,0.0]
+                   [IATS(ms)....: 92.4,95.4,2.4,97.4,1.9,14.1,0.3,0.1,113.4,0.3,0.2,49.6,132.6,83.3,183.9,0.3,326.1,293.1,272.4,0.1,443.7,0.4,0.5,0.0,276.5,199.2,0.5,0.0,0.7,486.1,0.4]
                    [PKTLENS.....: 74,62,54,275,60,60,1514,1514,464,54,54,54,180,105,54,1514,547,60,1514,60,60,1514,1514,1514,225,1514,1514,1514,225,1514,1514,1514]
  detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][Web][Acceptable]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -382,7 +382,7 @@
                    [BINS(c->s)..: 8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [BINS(s->c)..: 7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0]
-                   [IATS(ms)....: 325.4,332.9,0.3,247.7,0.2,241.3,0.3,0.3,23.8,0.3,429.9,0.1,1569.5,1485.9,353.0,706.9,73.8,0.3,358.8,0.4,256.6,3.7,0.2,956.2,948.6,95.3,235.6,1.1,0.1,275.4,23.7,0.0]
+                   [IATS(ms)....: 325.4,332.9,0.3,247.7,0.2,241.3,0.3,0.3,23.8,0.3,429.9,0.1,1569.5,1485.9,353.0,706.9,73.8,0.3,358.8,0.4,256.6,3.7,0.2,956.2,948.6,95.3,235.6,1.1,0.1,275.4,23.7]
                    [PKTLENS.....: 74,62,54,293,139,107,54,54,113,1514,188,60,60,188,60,731,54,1514,252,60,539,54,1514,220,539,54,1514,60,571,60,54,1514]
  detection-update: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable]
                    RISK: Weak TLS Cipher
@@ -406,7 +406,7 @@
                    [BINS(c->s)..: 4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [BINS(s->c)..: 10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1]
-                   [IATS(ms)....: 214.4,219.1,3.7,1161.8,1191.6,0.1,0.0,75.9,170.4,0.4,119.0,9.7,7.9,105.5,90.0,79.1,135.4,22.4,255.4,0.3,202.3,1.2,199.7,0.1,0.1,204.8,0.0,11.4,221.9,0.1,253.2,0.0]
+                   [IATS(ms)....: 214.4,219.1,3.7,1161.8,1191.6,0.1,0.0,75.9,170.4,0.4,119.0,9.7,7.9,105.5,90.0,79.1,135.4,22.4,255.4,0.3,202.3,1.2,199.7,0.1,0.1,204.8,0.0,11.4,221.9,0.1,253.2]
                    [PKTLENS.....: 74,62,54,293,293,60,139,107,54,60,192,54,113,1514,60,220,60,60,1147,1514,268,60,555,1514,284,176,60,60,539,1514,204,60]
  detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable]
  detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable]
@@ -417,7 +417,7 @@
                    [BINS(c->s)..: 7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1]
-                   [IATS(ms)....: 1005.7,1080.3,210.2,18.7,169.7,18.0,105.0,0.1,107.2,0.3,11.7,34.8,0.1,215.2,0.3,0.1,21.7,195.6,0.3,202.8,0.7,212.9,0.3,205.8,11.0,236.3,754.7,0.3,888.9,405.4,377.3,0.0]
+                   [IATS(ms)....: 1005.7,1080.3,210.2,18.7,169.7,18.0,105.0,0.1,107.2,0.3,11.7,34.8,0.1,215.2,0.3,0.1,21.7,195.6,0.3,202.8,0.7,212.9,0.3,205.8,11.0,236.3,754.7,0.3,888.9,405.4,377.3]
                    [PKTLENS.....: 74,74,62,54,293,62,54,139,107,54,54,113,1514,268,60,60,60,555,1514,220,60,715,1514,252,60,571,54,1514,220,60,1514,60]
               new: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] 
          detected: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable]
@@ -470,7 +470,7 @@
                    [BINS(c->s)..: 7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1]
-                   [IATS(ms)....: 55.9,57.4,1.4,113.3,0.4,112.3,0.1,3.2,65.7,1.4,70.0,0.2,85.3,246.6,0.1,0.0,0.1,325.6,0.3,3.8,0.8,0.2,0.3,0.1,0.3,0.3,0.6,0.4,1.1,6.7,1.2,0.0]
+                   [IATS(ms)....: 55.9,57.4,1.4,113.3,0.4,112.3,0.1,3.2,65.7,1.4,70.0,0.2,85.3,246.6,0.1,0.0,0.1,325.6,0.3,3.8,0.8,0.2,0.3,0.1,0.3,0.3,0.6,0.4,1.1,6.7,1.2]
                    [PKTLENS.....: 74,62,54,265,1514,1289,54,54,380,60,113,1514,284,60,1035,603,603,603,54,54,1514,1514,755,1115,603,603,603,603,603,603,54,603]
           analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -479,7 +479,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [BINS(s->c)..: 4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0]
-                   [IATS(ms)....: 109.9,111.6,1.6,102.0,0.2,101.6,0.3,1.9,56.2,0.1,87.5,19.1,7.6,147.9,304.1,639.4,932.7,32.7,0.1,0.0,0.7,0.1,0.0,0.3,0.6,110.7,0.2,1.8,0.2,0.1,0.1,0.0]
+                   [IATS(ms)....: 109.9,111.6,1.6,102.0,0.2,101.6,0.3,1.9,56.2,0.1,87.5,19.1,7.6,147.9,304.1,639.4,932.7,32.7,0.1,0.0,0.7,0.1,0.0,0.3,0.6,110.7,0.2,1.8,0.2,0.1,0.1]
                    [PKTLENS.....: 74,62,54,265,1514,1289,54,54,380,60,113,54,1514,268,60,1514,1514,60,1035,603,603,603,603,603,1483,91,54,54,54,54,54,54]
           analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -488,7 +488,7 @@
                    [BINS(c->s)..: 9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [BINS(s->c)..: 7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1]
-                   [IATS(ms)....: 992.4,1100.5,1.1,243.6,0.8,17.2,3008.6,6019.8,9247.0,0.1,67.2,0.3,0.3,66.7,669.5,0.3,275.2,528.0,1079.9,2835.2,350.0,114.6,72.1,219.3,5051.1,0.3,5193.9,65.0,174.2,2275.4,2411.2,0.0]
+                   [IATS(ms)....: 992.4,1100.5,1.1,243.6,0.8,17.2,3008.6,6019.8,9247.0,0.1,67.2,0.3,0.3,66.7,669.5,0.3,275.2,528.0,1079.9,2835.2,350.0,114.6,72.1,219.3,5051.1,0.3,5193.9,65.0,174.2,2275.4,2411.2]
                    [PKTLENS.....: 74,74,62,62,54,54,293,293,293,139,107,54,54,113,60,1514,1132,1514,1514,1514,60,1132,60,955,54,1514,236,60,859,54,54,60]
           analyse: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -497,7 +497,7 @@
                    [BINS(c->s)..: 7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0]
-                   [IATS(ms)....: 123.6,128.0,5.4,470.5,0.6,0.6,0.0,1232.5,1.5,5.0,0.7,0.7,10.0,973.2,0.5,0.1,0.0,190.9,73.2,0.3,171.9,0.1,117.0,408.2,413.7,66.7,140.9,83.3,0.1,166.3,19096.2,0.0]
+                   [IATS(ms)....: 123.6,128.0,5.4,470.5,0.6,0.6,0.0,1232.5,1.5,5.0,0.7,0.7,10.0,973.2,0.5,0.1,0.0,190.9,73.2,0.3,171.9,0.1,117.0,408.2,413.7,66.7,140.9,83.3,0.1,166.3,19096.2]
                    [PKTLENS.....: 74,62,54,246,60,1514,1514,536,246,246,54,54,54,180,60,60,60,99,54,1514,290,60,212,118,292,247,246,60,60,272,54,356]
  detection-update: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] [TLS.Amazon][Web][Acceptable]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -567,7 +567,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0]
-                   [IATS(ms)....: 58.0,60.3,1.6,154.7,0.4,0.4,0.4,0.5,0.5,0.2,0.4,156.7,0.3,4.1,0.1,3.4,0.2,0.1,0.2,0.1,0.1,0.1,7.0,268.3,295.2,18.3,286.3,0.5,0.4,286.6,4.3,0.0]
+                   [IATS(ms)....: 58.0,60.3,1.6,154.7,0.4,0.4,0.4,0.5,0.5,0.2,0.4,156.7,0.3,4.1,0.1,3.4,0.2,0.1,0.2,0.1,0.1,0.1,7.0,268.3,295.2,18.3,286.3,0.5,0.4,286.6,4.3]
                    [PKTLENS.....: 74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,66,66,1514,441,66,66,66,66,66,66,66,613,613,441,78,606,1514,1514,66,66]
               new: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] 
          detected: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable]
@@ -580,7 +580,7 @@
                    [BINS(c->s)..: 7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [BINS(s->c)..: 6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 111.1,112.4,0.8,179.9,0.1,0.0,179.9,2.9,0.3,3.3,0.5,135.1,0.2,170.2,502.2,1107.1,16.8,0.2,0.2,0.0,0.0,0.0,706.6,0.4,9.7,355.9,0.3,629.2,147.8,0.1,0.1,0.0]
+                   [IATS(ms)....: 111.1,112.4,0.8,179.9,0.1,0.0,179.9,2.9,0.3,3.3,0.5,135.1,0.2,170.2,502.2,1107.1,16.8,0.2,0.2,0.0,0.0,0.0,706.6,0.4,9.7,355.9,0.3,629.2,147.8,0.1,0.1]
                    [PKTLENS.....: 74,62,54,297,60,139,107,54,54,113,1514,300,60,60,1514,1514,60,1514,135,1514,167,443,91,54,54,54,1514,332,60,1035,603,603]
               new: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] 
               new: [...127] [ip4][..tcp] [..172.16.42.216][51993] -> [....52.84.63.56][...80] 
@@ -601,7 +601,7 @@
                    [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0]
-                   [IATS(ms)....: 31.3,34.1,0.6,113.4,46.4,0.0,0.0,0.1,0.0,0.0,11.2,1.6,7.2,179.1,0.1,0.1,0.1,0.1,0.1,3.4,0.3,0.4,4.5,99.2,0.3,120.8,46.9,0.2,0.3,0.8,17.5,0.0]
+                   [IATS(ms)....: 31.3,34.1,0.6,113.4,46.4,0.0,0.0,0.1,0.0,0.0,11.2,1.6,7.2,179.1,0.1,0.1,0.1,0.1,0.1,3.4,0.3,0.4,4.5,99.2,0.3,120.8,46.9,0.2,0.3,0.8,17.5]
                    [PKTLENS.....: 74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,1237,1237,66,66,66,66,66,66,66,66,78,613,1514,1514,66,1514,1350,1514,1514,66]
            update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable]
            update: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Network][Acceptable]
@@ -626,7 +626,7 @@
                    [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1]
-                   [IATS(ms)....: 25.0,26.3,0.4,110.2,0.1,0.2,0.3,0.4,0.4,1.1,0.5,0.4,0.4,114.9,0.2,0.1,0.1,3.5,0.1,26.3,0.3,0.1,0.1,0.1,0.2,4.7,62.5,45.1,368.8,510.9,0.4,0.0]
+                   [IATS(ms)....: 25.0,26.3,0.4,110.2,0.1,0.2,0.3,0.4,0.4,1.1,0.5,0.4,0.4,114.9,0.2,0.1,0.1,3.5,0.1,26.3,0.3,0.1,0.1,0.1,0.2,4.7,62.5,45.1,368.8,510.9,0.4]
                    [PKTLENS.....: 74,74,66,613,66,66,1514,1514,1514,1514,1514,1514,1514,1514,66,66,66,66,1514,1309,66,66,66,66,66,66,613,1309,78,613,1514,1514]
               new: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] 
          detected: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable]
@@ -645,7 +645,7 @@
                    [BINS(c->s)..: 9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0]
                    [BINS(s->c)..: 7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1]
-                   [IATS(ms)....: 77.1,79.5,13.2,60.9,0.4,0.6,0.1,48.6,1.8,3.6,177.8,227.4,44.5,20.0,267.2,445.6,122.6,0.1,0.0,0.0,282.5,8.7,270.5,1.6,407.0,0.1,164.1,0.1,290.0,120002.8,0.1,0.0]
+                   [IATS(ms)....: 77.1,79.5,13.2,60.9,0.4,0.6,0.1,48.6,1.8,3.6,177.8,227.4,44.5,20.0,267.2,445.6,122.6,0.1,0.0,0.0,282.5,8.7,270.5,1.6,407.0,0.1,164.1,0.1,290.0,120002.8,0.1]
                    [PKTLENS.....: 74,74,66,287,66,1514,1514,640,66,66,66,192,308,66,1430,1430,66,1514,314,110,100,66,66,1514,1017,66,66,1329,100,66,97,66]
  detection-update: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] [TLS.Amazon][Web][Acceptable]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -765,7 +765,7 @@
                    [BINS(c->s)..: 9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [BINS(s->c)..: 8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0]
-                   [IATS(ms)....: 133.8,140.4,3.2,141.6,1.3,0.1,137.2,0.3,0.1,2.7,82.2,0.2,95.7,0.4,359.1,405.4,633.6,688.6,100.8,373.1,50.8,202.6,7767.1,1.6,8001.1,353.8,410.1,314.8,108.3,0.2,84.0,0.0]
+                   [IATS(ms)....: 133.8,140.4,3.2,141.6,1.3,0.1,137.2,0.3,0.1,2.7,82.2,0.2,95.7,0.4,359.1,405.4,633.6,688.6,100.8,373.1,50.8,202.6,7767.1,1.6,8001.1,353.8,410.1,314.8,108.3,0.2,84.0]
                    [PKTLENS.....: 74,62,54,261,1514,1514,399,54,54,54,380,60,113,1514,204,60,1514,113,54,1514,60,683,54,1514,300,60,54,60,1514,60,60,54]
  detection-update: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][Web][Acceptable]
                    RISK: Weak TLS Cipher
@@ -797,7 +797,7 @@
                    [BINS(c->s)..: 9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0]
-                   [IATS(ms)....: 42.7,43.7,0.7,45.0,4.0,0.5,0.6,0.3,50.6,0.8,0.3,1.1,7.3,12.7,0.3,65.6,42.6,4.2,48.9,0.4,25.2,76.4,106.0,0.2,0.6,0.6,0.3,0.0,102.0,2.9,1.9,0.0]
+                   [IATS(ms)....: 42.7,43.7,0.7,45.0,4.0,0.5,0.6,0.3,50.6,0.8,0.3,1.1,7.3,12.7,0.3,65.6,42.6,4.2,48.9,0.4,25.2,76.4,106.0,0.2,0.6,0.6,0.3,0.0,102.0,2.9,1.9]
                    [PKTLENS.....: 74,74,66,268,66,1514,1514,1514,833,66,66,66,66,192,1514,781,78,192,1514,78,320,66,66,1514,1514,1514,697,608,143,66,163,66]
  detection-update: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable]
               new: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] 
@@ -859,7 +859,7 @@
                    [BINS(c->s)..: 10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 16.7,17.9,1.6,27.3,5.3,0.5,0.5,0.3,32.5,0.3,12.9,0.3,0.1,39.0,52.8,61.9,0.5,0.3,0.1,35.1,0.7,5.1,216.8,261.8,0.2,39.4,7.5,74.2,66.6,42.1,0.4,0.0]
+                   [IATS(ms)....: 16.7,17.9,1.6,27.3,5.3,0.5,0.5,0.3,32.5,0.3,12.9,0.3,0.1,39.0,52.8,61.9,0.5,0.3,0.1,35.1,0.7,5.1,216.8,261.8,0.2,39.4,7.5,74.2,66.6,42.1,0.4]
                    [PKTLENS.....: 74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1343,1514,1514,770,100,66,66,1308,1308,862,100,66,1319,100,78,1514,1514]
  detection-update: [...154] [ip4][..tcp] [..172.16.42.216][41913] -> [...52.84.62.115][..443] [TLS.Amazon][Web][Acceptable]
           analyse: [...157] [ip4][..tcp] [..172.16.42.216][38483] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable]
@@ -869,7 +869,7 @@
                    [BINS(c->s)..: 6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 34.0,35.1,2.2,37.9,5.1,0.5,0.2,42.9,0.3,0.1,30.8,68.8,38.4,227.1,241.4,50.1,58.4,55.5,3.8,2.0,4.4,1.6,0.7,7.8,0.1,0.1,9.0,0.3,3.1,0.8,10.2,0.0]
+                   [IATS(ms)....: 34.0,35.1,2.2,37.9,5.1,0.5,0.2,42.9,0.3,0.1,30.8,68.8,38.4,227.1,241.4,50.1,58.4,55.5,3.8,2.0,4.4,1.6,0.7,7.8,0.1,0.1,9.0,0.3,3.1,0.8,10.2]
                    [PKTLENS.....: 74,74,66,260,66,1514,1514,632,66,66,66,192,117,732,732,117,78,66,1110,441,270,829,919,455,1514,191,571,1514,1514,1514,1514,1514]
               new: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] 
          detected: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable]
@@ -880,7 +880,7 @@
                    [BINS(c->s)..: 12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0]
-                   [IATS(ms)....: 22.8,24.0,0.9,22.8,6.6,0.6,0.6,0.3,39.7,0.1,0.1,0.2,6.8,37.6,46.2,226.7,213.1,3.9,222.3,264.1,0.1,55.3,103.4,0.1,10.4,183.9,242.5,1.0,0.1,38.6,0.1,0.0]
+                   [IATS(ms)....: 22.8,24.0,0.9,22.8,6.6,0.6,0.6,0.3,39.7,0.1,0.1,0.2,6.8,37.6,46.2,226.7,213.1,3.9,222.3,264.1,0.1,55.3,103.4,0.1,10.4,183.9,242.5,1.0,0.1,38.6,0.1]
                    [PKTLENS.....: 74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1351,324,78,1351,1351,944,100,100,66,66,78,1336,1514,1514,522,66,66]
  detection-update: [...155] [ip4][..tcp] [..172.16.42.216][41914] -> [...52.84.62.115][..443] [TLS.Amazon][Web][Acceptable]
  detection-update: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable]
@@ -894,7 +894,7 @@
                    [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1]
-                   [IATS(ms)....: 168.5,171.2,1.5,108.9,4.4,1.7,0.7,112.7,0.3,4.1,0.2,6.2,0.1,10.4,13.1,1.1,0.3,290.4,0.0,0.0,0.1,299.4,0.7,529.3,1065.9,2114.2,3665.4,7470.6,595.2,595.1,1817.1,0.0]
+                   [IATS(ms)....: 168.5,171.2,1.5,108.9,4.4,1.7,0.7,112.7,0.3,4.1,0.2,6.2,0.1,10.4,13.1,1.1,0.3,290.4,0.0,0.0,0.1,299.4,0.7,529.3,1065.9,2114.2,3665.4,7470.6,595.2,595.1,1817.1]
                    [PKTLENS.....: 74,62,54,281,60,60,1514,1514,54,54,1514,669,54,54,180,1514,1438,374,60,60,105,60,54,1438,1438,1438,1438,54,60,1438,60,60]
  detection-update: [...145] [ip4][..tcp] [..172.16.42.216][44912] -> [...54.239.23.94][..443] [TLS.AmazonAWS][Cloud][Acceptable]
          detected: [...160] [ip4][..tcp] [..172.16.42.216][47606] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable]
diff --git a/test/results/flow-info/amqp.pcap.out b/test/results/flow-info/amqp.pcap.out
index 4c65ba42b..edb1a7ec5 100644
--- a/test/results/flow-info/amqp.pcap.out
+++ b/test/results/flow-info/amqp.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.2,0.2,0.1,0.1,2001.7,2001.7,0.2,0.2,0.1,0.1,1032.6,1032.6,0.1,0.1,0.1,0.1,11.0,11.0,0.1,0.1,0.1,0.1,17.7,17.7,0.1,0.1,0.1,0.1,412.7,412.7,0.0]
+                   [IATS(ms)....: 0.0,0.2,0.2,0.1,0.1,2001.7,2001.7,0.2,0.2,0.1,0.1,1032.6,1032.6,0.1,0.1,0.1,0.1,11.0,11.0,0.1,0.1,0.1,0.1,17.7,17.7,0.1,0.1,0.1,0.1,412.7,412.7]
                    [PKTLENS.....: 107,66,162,66,369,66,107,66,162,66,369,66,104,66,162,66,395,66,103,66,162,66,271,66,105,66,162,66,325,66,104,66]
              idle: [.....2] [ip4][..tcp] [......127.0.1.1][.5672] -> [......127.0.0.1][44204] [AMQP][RPC][Acceptable]
              idle: [.....1] [ip4][..tcp] [......127.0.0.1][44205] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable]
diff --git a/test/results/flow-info/android.pcap.out b/test/results/flow-info/android.pcap.out
index 67051ee69..c7dda0700 100644
--- a/test/results/flow-info/android.pcap.out
+++ b/test/results/flow-info/android.pcap.out
@@ -174,7 +174,7 @@
                    [BINS(c->s)..: 13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0]
-                   [IATS(ms)....: 13.7,15.0,32.7,47.5,16.6,0.0,34.5,0.3,386.5,404.6,19.7,197.6,221.1,19.2,15.0,27.7,41.8,1.7,0.0,0.0,1.0,1.6,0.1,0.0,0.0,1.2,0.0,1.2,2.7,0.0,0.0,0.0]
+                   [IATS(ms)....: 13.7,15.0,32.7,47.5,16.6,0.0,34.5,0.3,386.5,404.6,19.7,197.6,221.1,19.2,15.0,27.7,41.8,1.7,0.0,0.0,1.0,1.6,0.1,0.0,0.0,1.2,0.0,1.2,2.7,0.0,0.0]
                    [PKTLENS.....: 74,74,66,246,66,1484,1202,66,66,159,358,66,578,66,100,66,655,66,1484,1484,1421,1484,66,1484,396,102,66,66,66,66,66,66]
  detection-update: [....59] [ip4][..tcp] [...192.168.2.16][33014] -> [.216.239.38.120][..443] [TLS.Google][Web][Acceptable]
  detection-update: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Web][Fun]
diff --git a/test/results/flow-info/anyconnect-vpn.pcap.out b/test/results/flow-info/anyconnect-vpn.pcap.out
index 90b510045..308495666 100644
--- a/test/results/flow-info/anyconnect-vpn.pcap.out
+++ b/test/results/flow-info/anyconnect-vpn.pcap.out
@@ -50,7 +50,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 39.5,39.5,0.4,43.7,1.2,44.5,40.9,0.0,40.9,0.0,38.2,0.0,38.3,0.0,33.2,0.0,71.5,0.0,38.3,6.1,35.1,41.2,0.2,42.3,2.9,0.0,0.0,44.9,0.1,0.0,0.0,0.0]
+                   [IATS(ms)....: 39.5,39.5,0.4,43.7,1.2,44.5,40.9,0.0,40.9,0.0,38.2,0.0,38.3,0.0,33.2,0.0,71.5,0.0,38.3,6.1,35.1,41.2,0.2,42.3,2.9,0.0,0.0,44.9,0.1]
                    [PKTLENS.....: 78,70,66,233,66,1514,66,1514,1514,66,66,1514,1181,66,66,1514,1514,1333,66,66,677,66,141,66,1175,66,359,711,119,66,66,66]
  detection-update: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] [TLS][Web][Safe]
                    RISK: Weak TLS Cipher, Missing SNI TLS Extn
@@ -116,7 +116,7 @@
                    [BINS(c->s)..: 9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1]
-                   [IATS(ms)....: 28.5,28.6,0.3,35.2,11.6,46.5,4.2,33.1,3.0,31.9,1.5,30.5,1.7,30.8,254.9,281.1,5.1,31.3,315.0,342.2,26.3,53.5,25.8,25.8,4.8,30.5,2.7,28.4,358.2,384.8,2.1,0.0]
+                   [IATS(ms)....: 28.5,28.6,0.3,35.2,11.6,46.5,4.2,33.1,3.0,31.9,1.5,30.5,1.7,30.8,254.9,281.1,5.1,31.3,315.0,342.2,26.3,53.5,25.8,25.8,4.8,30.5,2.7,28.4,358.2,384.8,2.1]
                    [PKTLENS.....: 78,78,66,214,66,1374,66,1261,66,117,66,510,66,477,66,377,66,181,66,791,66,1434,66,1174,66,128,66,136,66,124,66,124]
               new: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] [MIDSTREAM] 
               new: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] 
@@ -133,7 +133,7 @@
                    [BINS(c->s)..: 12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 42.4,42.4,2.0,46.9,1.2,46.1,40.3,0.0,40.3,0.0,37.2,0.0,37.2,0.0,97.2,138.0,40.9,1.2,43.3,9.0,0.0,0.0,0.0,0.0,0.0,0.0,51.2,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 42.4,42.4,2.0,46.9,1.2,46.1,40.3,0.0,40.3,0.0,37.2,0.0,37.2,0.0,97.2,138.0,40.9,1.2,43.3,9.0,0.0,0.0,0.0,0.0,0.0,0.0,51.2]
                    [PKTLENS.....: 78,70,66,218,66,1514,66,1514,1514,66,66,1514,1181,66,66,420,141,66,1031,66,1514,223,1514,223,1514,223,1514,223,66,66,66,66]
  detection-update: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe]
                    RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
@@ -197,7 +197,7 @@
                    [BINS(c->s)..: 0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1]
-                   [IATS(ms)....: 43.5,43.9,46.6,47.0,13.8,22.4,0.1,45.4,0.0,0.0,0.2,0.0,8.9,0.2,3.2,0.0,34.6,0.0,41.1,0.5,5.7,3.7,11.8,10.0,4.2,4.6,47.0,47.1,0.2,0.4,3.8,0.0]
+                   [IATS(ms)....: 43.5,43.9,46.6,47.0,13.8,22.4,0.1,45.4,0.0,0.0,0.2,0.0,8.9,0.2,3.2,0.0,34.6,0.0,41.1,0.5,5.7,3.7,11.8,10.0,4.2,4.6,47.0,47.1,0.2,0.4,3.8]
                    [PKTLENS.....: 141,90,161,230,135,167,167,167,263,215,215,215,199,151,167,359,311,183,231,167,167,311,167,279,199,407,199,279,167,183,183,343]
               new: [....60] [ip4][..udp] [.....10.0.0.227][52595] -> [.......10.0.0.1][..192] 
               new: [....61] [ip4][..udp] [.....10.0.0.151][.1900] -> [.....10.0.0.227][57547] 
diff --git a/test/results/flow-info/anydesk.pcapng.out b/test/results/flow-info/anydesk.pcapng.out
index d1bc9399a..a58329ffe 100644
--- a/test/results/flow-info/anydesk.pcapng.out
+++ b/test/results/flow-info/anydesk.pcapng.out
@@ -18,7 +18,7 @@
                    [BINS(c->s)..: 8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1]
-                   [IATS(ms)....: 164.8,164.9,0.6,1.1,165.0,165.4,0.5,0.5,0.3,0.3,1.8,2.0,164.9,165.2,0.2,0.2,0.2,0.3,218.6,218.7,0.6,0.9,1215.5,1216.3,0.0,0.1,0.9,0.0,0.0,1602.9,0.1,0.0]
+                   [IATS(ms)....: 164.8,164.9,0.6,1.1,165.0,165.4,0.5,0.5,0.3,0.3,1.8,2.0,164.9,165.2,0.2,0.2,0.2,0.3,218.6,218.7,0.6,0.9,1215.5,1216.3,0.0,0.1,0.9,0.0,0.0,1602.9,0.1]
                    [PKTLENS.....: 74,60,54,317,60,1354,54,1354,54,60,54,1148,60,105,54,94,54,200,60,200,54,125,60,133,1514,1514,1256,60,60,60,1514,1194]
  detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][RemoteAccess][Acceptable]
                    RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing
@@ -51,7 +51,7 @@
                    [BINS(c->s)..: 6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1]
                    [BINS(s->c)..: 11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 0.5,0.5,0.3,0.4,0.3,10.5,10.9,39.6,40.3,8.7,9.5,516.9,517.5,1.6,27.8,26.2,2.4,56.3,902.9,957.3,1754.2,1753.7,16.4,71.2,2966.8,3021.8,4.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.5,0.5,0.3,0.4,0.3,10.5,10.9,39.6,40.3,8.7,9.5,516.9,517.5,1.6,27.8,26.2,2.4,56.3,902.9,957.3,1754.2,1753.7,16.4,71.2,2966.8,3021.8,4.0]
                    [PKTLENS.....: 66,66,54,299,60,60,1514,197,54,1340,60,968,94,54,101,60,89,88,60,88,54,3980,60,60,60,93,60,155,54,113,60,130]
      DAEMON-EVENT: [Processed: 9484 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 0]
@@ -69,7 +69,7 @@
                    [BINS(c->s)..: 8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1]
-                   [IATS(ms)....: 17.7,17.8,0.9,17.8,3.4,20.3,0.1,0.0,3.8,21.9,18.1,0.1,0.0,0.9,64.2,13.4,76.8,1.5,18.4,206.6,224.8,0.0,0.0,18.7,0.0,62.8,0.0,80.2,8427.9,8444.6,314.0,0.0]
+                   [IATS(ms)....: 17.7,17.8,0.9,17.8,3.4,20.3,0.1,0.0,3.8,21.9,18.1,0.1,0.0,0.9,64.2,13.4,76.8,1.5,18.4,206.6,224.8,0.0,0.0,18.7,0.0,62.8,0.0,80.2,8427.9,8444.6,314.0]
                    [PKTLENS.....: 74,74,66,355,66,1514,66,1146,66,1160,117,66,106,66,213,66,212,66,151,66,159,1514,1514,1287,66,66,106,104,66,151,66,159]
               end: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] 
              idle: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable]
diff --git a/test/results/flow-info/bad-dns-traffic.pcap.out b/test/results/flow-info/bad-dns-traffic.pcap.out
index 8101644f6..22c646290 100644
--- a/test/results/flow-info/bad-dns-traffic.pcap.out
+++ b/test/results/flow-info/bad-dns-traffic.pcap.out
@@ -28,7 +28,7 @@
                    [BINS(c->s)..: 0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1]
-                   [IATS(ms)....: 1006.5,1005.8,1008.1,1008.5,4101.9,73.2,63.1,1023.9,1006.7,2080.9,1018.8,962.5,1014.1,1012.6,1013.6,1040.3,1038.2,1060.2,1011.7,991.1,1041.5,1066.6,1017.8,982.3,1029.5,1026.2,1027.8,1007.4,2080.4,166.4,305.9,0.0]
+                   [IATS(ms)....: 1006.5,1005.8,1008.1,1008.5,4101.9,73.2,63.1,1023.9,1006.7,2080.9,1018.8,962.5,1014.1,1012.6,1013.6,1040.3,1038.2,1060.2,1011.7,991.1,1041.5,1066.6,1017.8,982.3,1029.5,1026.2,1027.8,1007.4,2080.4,166.4,305.9]
                    [PKTLENS.....: 133,133,133,133,133,164,95,130,95,95,126,95,128,95,130,95,128,95,128,95,126,95,128,95,130,95,128,95,95,174,290,323]
            update: [.....1] [ip4][..udp] [..192.168.43.91][35966] -> [........4.2.2.4][...53] [DNS][Network][Acceptable]
                    RISK: Suspicious DGA Domain name, Risky Domain Name
diff --git a/test/results/flow-info/bitcoin.pcap.out b/test/results/flow-info/bitcoin.pcap.out
index 7c94f3acb..bf92f591d 100644
--- a/test/results/flow-info/bitcoin.pcap.out
+++ b/test/results/flow-info/bitcoin.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 52.7,59.2,36072.7,6972.6,71059.7,141657.3,28238.3,0.1,33.0,0.0,0.0,1933.1,0.0,0.0,0.0,0.0,4.5,16.8,0.3,4.1,0.5,12.1,1.1,0.3,10.6,15.7,2.7,0.0,3.1,4.1,7.9,0.0]
+                   [IATS(ms)....: 52.7,59.2,36072.7,6972.6,71059.7,141657.3,28238.3,0.1,33.0,0.0,0.0,1933.1,0.0,0.0,0.0,0.0,4.5,16.8,0.3,4.1,0.5,12.1,1.1,0.3,10.6,15.7,2.7,0.0,3.1,4.1,7.9]
                    [PKTLENS.....: 171,171,86,127,121,127,110,1514,1514,1514,1514,1045,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]
               new: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [MIDSTREAM] 
          detected: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [Mining][Mining][Unsafe]
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 59.2,103.2,9823.2,39766.1,21773.2,100110.7,311.6,29237.0,0.0,63.5,0.0,0.1,1.8,36.3,0.1,10.1,0.0,2.2,0.0,22.5,0.0,0.0,5.4,1.9,16.7,0.1,3.3,3.2,0.1,2.6,1.0,0.0]
+                   [IATS(ms)....: 59.2,103.2,9823.2,39766.1,21773.2,100110.7,311.6,29237.0,0.0,63.5,0.0,0.1,1.8,36.3,0.1,10.1,0.0,2.2,0.0,22.5,0.0,0.0,5.4,1.9,16.7,0.1,3.3,3.2,0.1,2.6,1.0]
                    [PKTLENS.....: 171,171,86,182,121,121,110,121,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]
               new: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [MIDSTREAM] 
          detected: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [Mining][Mining][Unsafe]
@@ -40,7 +40,7 @@
                    [BINS(c->s)..: 0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
                    [BINS(s->c)..: 1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 62.3,90.5,14042.4,39643.2,11452.0,9238.6,22700.4,134322.5,190.5,216.5,0.1,56.8,0.0,0.0,0.0,45582.9,5.5,2.9,79.7,2.4,56.4,14.9,38.3,1.1,29.4,10.2,41.4,0.0,29.6,11.8,15.8,0.0]
+                   [IATS(ms)....: 62.3,90.5,14042.4,39643.2,11452.0,9238.6,22700.4,134322.5,190.5,216.5,0.1,56.8,0.0,0.0,0.0,45582.9,5.5,2.9,79.7,2.4,56.4,14.9,38.3,1.1,29.4,10.2,41.4,0.0,29.6,11.8,15.8]
                    [PKTLENS.....: 171,171,86,127,127,127,182,127,110,1514,1514,1514,1514,1514,1514,331,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]
               new: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [MIDSTREAM] 
          detected: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [Mining][Mining][Unsafe]
@@ -52,7 +52,7 @@
                    [BINS(c->s)..: 0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0]
                    [BINS(s->c)..: 1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 128.2,113.3,17195.1,11450.8,3438.7,6.8,2755.3,41186.4,319.9,321.8,0.0,347.4,8283.5,31.9,35.0,52.7,19.0,36.6,49.3,41.1,63.9,2.3,29.1,27.7,37.4,32.7,49.2,24.6,33.7,41.1,34.1,0.0]
+                   [IATS(ms)....: 128.2,113.3,17195.1,11450.8,3438.7,6.8,2755.3,41186.4,319.9,321.8,0.0,347.4,8283.5,31.9,35.0,52.7,19.0,36.6,49.3,41.1,63.9,2.3,29.1,27.7,37.4,32.7,49.2,24.6,33.7,41.1,34.1]
                    [PKTLENS.....: 171,171,86,121,121,121,121,127,110,1514,1514,1514,1399,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]
      DAEMON-EVENT: [Processed: 494 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 5 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
diff --git a/test/results/flow-info/bittorrent.pcap.out b/test/results/flow-info/bittorrent.pcap.out
index f1e100b08..de6e221d6 100644
--- a/test/results/flow-info/bittorrent.pcap.out
+++ b/test/results/flow-info/bittorrent.pcap.out
@@ -70,7 +70,7 @@
                    [BINS(c->s)..: 5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0]
                    [DIRECTIONS..: 0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1]
-                   [IATS(ms)....: 176.8,184.0,361.0,337.3,477.6,920.0,779.8,619.5,619.4,156.9,158.1,151.0,161.2,12.0,185.6,163.5,148.9,165.8,153.5,19.2,148.7,12.8,146.1,495.9,130.3,32.1,133.8,27.3,421.5,129.5,27.4,0.0]
+                   [IATS(ms)....: 176.8,184.0,361.0,337.3,477.6,920.0,779.8,619.5,619.4,156.9,158.1,151.0,161.2,12.0,185.6,163.5,148.9,165.8,153.5,19.2,148.7,12.8,146.1,495.9,130.3,32.1,133.8,27.3,421.5,129.5,27.4]
                    [PKTLENS.....: 134,146,625,242,80,190,104,100,1506,83,1180,83,623,95,83,403,83,202,623,1506,1506,1506,1506,1506,202,1506,1506,1506,1506,211,1506,1506]
               new: [....22] [ip4][..tcp] [....192.168.1.3][52927] -> [.83.216.184.241][51413] [MIDSTREAM] 
          detected: [....22] [ip4][..tcp] [....192.168.1.3][52927] -> [.83.216.184.241][51413] [BitTorrent][Download][Acceptable]
diff --git a/test/results/flow-info/bittorrent_utp.pcap.out b/test/results/flow-info/bittorrent_utp.pcap.out
index 09e137233..918c55c72 100644
--- a/test/results/flow-info/bittorrent_utp.pcap.out
+++ b/test/results/flow-info/bittorrent_utp.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0]
                    [BINS(s->c)..: 11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0]
-                   [IATS(ms)....: 4392.2,1037.9,5430.3,116.8,116.9,100.5,240.4,139.9,4.5,110.6,115.0,1.0,58.6,60.6,88.2,88.1,37.5,37.7,24.5,24.4,43.7,55.5,11.6,11.8,11.9,53.7,52.8,104.1,173.3,8.3,17.5,0.0]
+                   [IATS(ms)....: 4392.2,1037.9,5430.3,116.8,116.9,100.5,240.4,139.9,4.5,110.6,115.0,1.0,58.6,60.6,88.2,88.1,37.5,37.7,24.5,24.4,43.7,55.5,11.6,11.8,11.9,53.7,52.8,104.1,173.3,8.3,17.5]
                    [PKTLENS.....: 146,146,62,72,252,519,62,62,117,271,62,62,146,1514,68,1514,68,1514,68,1514,68,96,1514,68,1514,68,1514,62,62,1051,1051,1051]
              idle: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable]
                    RISK: Known Proto on Non Std Port
diff --git a/test/results/flow-info/bot.pcap.out b/test/results/flow-info/bot.pcap.out
index 503df129b..60bbf1353 100644
--- a/test/results/flow-info/bot.pcap.out
+++ b/test/results/flow-info/bot.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1]
-                   [IATS(ms)....: 0.4,106.5,0.0,106.7,7.6,0.1,0.1,0.1,0.0,0.0,0.8,0.0,0.0,0.0,114.2,0.3,105.4,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.2,0.0,0.1,0.0,0.8,0.1,0.5,0.0]
+                   [IATS(ms)....: 0.4,106.5,0.0,106.7,7.6,0.1,0.1,0.1,0.0,0.0,0.8,0.0,0.0,0.0,114.2,0.3,105.4,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.2,0.0,0.1,0.0,0.8,0.1,0.5]
                    [PKTLENS.....: 66,66,64,374,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498]
               end: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/capwap.pcap.out b/test/results/flow-info/capwap.pcap.out
index 0ef3faeb3..75c06e6cd 100644
--- a/test/results/flow-info/capwap.pcap.out
+++ b/test/results/flow-info/capwap.pcap.out
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0]
                    [BINS(s->c)..: 0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0]
                    [DIRECTIONS..: 0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0]
-                   [IATS(ms)....: 0.8,9998.4,10093.4,96.4,2.6,0.0,0.1,182.4,0.0,0.1,314.1,135.3,2.7,0.2,111.8,0.0,157.3,0.0,325.7,280.1,0.0,39.5,0.0,39.5,0.3,2.1,1.0,0.5,0.5,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.8,9998.4,10093.4,96.4,2.6,0.0,0.1,182.4,0.0,0.1,314.1,135.3,2.7,0.2,111.8,0.0,157.3,0.0,325.7,280.1,0.0,39.5,0.0,39.5,0.3,2.1,1.0,0.5,0.5]
                    [PKTLENS.....: 156,156,115,106,147,590,590,360,590,590,179,329,420,137,1499,1499,1499,1451,1035,1451,475,155,123,139,155,139,123,891,155,123,139,875]
               new: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] 
          detected: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] [CAPWAP][Network][Acceptable]
@@ -36,7 +36,7 @@
                    [BINS(c->s)..: 0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 500.0,500.0,499.9,3000.0,500.0,500.0,500.0,500.0,499.9,500.0,500.0,500.0,500.0,1000.0,1000.0,500.0,2999.8,1000.0,1000.0,500.0,1999.8,500.0,500.0,1000.0,500.0,1500.0,499.9,2000.0,1000.0,1000.0,3999.8,0.0]
+                   [IATS(ms)....: 500.0,500.0,499.9,3000.0,500.0,500.0,500.0,500.0,499.9,500.0,500.0,500.0,500.0,1000.0,1000.0,500.0,2999.8,1000.0,1000.0,500.0,1999.8,500.0,500.0,1000.0,500.0,1500.0,499.9,2000.0,1000.0,1000.0,3999.8]
                    [PKTLENS.....: 122,209,296,151,238,151,122,209,325,151,122,122,151,296,151,209,209,296,151,209,122,267,180,209,209,209,267,151,122,209,238,180]
            update: [.....3] [ip4][..udp] [..192.168.10.10][12380] -> [255.255.255.255][.5246] [CAPWAP][Network][Acceptable]
            update: [.....1] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12379] [CAPWAP][Network][Acceptable]
diff --git a/test/results/flow-info/cassandra.pcap.out b/test/results/flow-info/cassandra.pcap.out
index 2fb60d21d..c151b6cc6 100644
--- a/test/results/flow-info/cassandra.pcap.out
+++ b/test/results/flow-info/cassandra.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0]
-                   [IATS(ms)....: 0.0,0.0,0.2,0.3,5.7,5.7,0.2,0.6,1.5,1.6,1.6,2.3,1.1,3.5,3.5,2.8,4.8,1.9,1.8,0.7,2.5,2.0,1.4,3.4,25963.2,26002.2,1164.0,1204.4,1.3,2.3,5.7,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.2,0.3,5.7,5.7,0.2,0.6,1.5,1.6,1.6,2.3,1.1,3.5,3.5,2.8,4.8,1.9,1.8,0.7,2.5,2.0,1.4,3.4,25963.2,26002.2,1164.0,1204.4,1.3,2.3,5.7]
                    [PKTLENS.....: 74,74,66,75,66,127,66,97,75,124,75,167,182,193,11145,66,119,557,387,380,257,66,21816,25214,66,124,66,140,147,139,144,157]
           analyse: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -21,7 +21,7 @@
                    [BINS(c->s)..: 10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.0,0.0,0.7,0.7,5.3,5.3,0.3,0.7,1.7,4.5,3.4,25897.1,25937.1,6.0,46.6,0.7,0.0,0.0,1.2,1.1,2.3,1.2,3.3,41.7,7689.9,7730.3,0.8,0.2,0.6,40.1,3670.2,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.7,0.7,5.3,5.3,0.3,0.7,1.7,4.5,3.4,25897.1,25937.1,6.0,46.6,0.7,0.0,0.0,1.2,1.1,2.3,1.2,3.3,41.7,7689.9,7730.3,0.8,0.2,0.6,40.1,3670.2]
                    [PKTLENS.....: 74,74,66,75,66,127,66,97,75,140,11512,66,201,66,113,140,66,139,66,147,144,66,157,289,66,113,94,66,101,94,66,291]
               end: [.....1] [ip4][..tcp] [......127.0.0.1][46536] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable]
               end: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable]
diff --git a/test/results/flow-info/check_mk_new.pcap.out b/test/results/flow-info/check_mk_new.pcap.out
index affbc43ad..0e8139d09 100644
--- a/test/results/flow-info/check_mk_new.pcap.out
+++ b/test/results/flow-info/check_mk_new.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.2,2.1,2.1,0.1,0.1,0.1,0.1,1.9,1.8,0.1,0.1,1.3,1.2,0.1,0.2,0.1,0.1,1.2,1.2,0.2,0.2,2.0,2.0,1.8,1.8,1.9,1.9,0.7,0.7,0.1,0.0]
+                   [IATS(ms)....: 0.0,0.2,2.1,2.1,0.1,0.1,0.1,0.1,1.9,1.8,0.1,0.1,1.3,1.2,0.1,0.2,0.1,0.1,1.2,1.2,0.2,0.2,2.0,2.0,1.8,1.8,1.9,1.9,0.7,0.7,0.1]
                    [PKTLENS.....: 74,74,66,81,66,331,66,76,66,67,66,75,66,568,66,75,66,84,66,477,66,82,66,82,66,83,66,79,66,131,66,75]
               end: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/chrome.pcap.out b/test/results/flow-info/chrome.pcap.out
index b226b4da5..3da7f70df 100644
--- a/test/results/flow-info/chrome.pcap.out
+++ b/test/results/flow-info/chrome.pcap.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]
-                   [IATS(ms)....: 28.8,28.9,0.3,29.8,7.0,0.2,36.6,0.5,0.5,13.6,0.3,42.3,0.0,0.2,0.0,28.6,0.0,627.9,1.2,629.0,0.1,0.2,0.3,0.1,0.3,0.3,1.1,131.1,160.1,5.6,0.1,0.0]
+                   [IATS(ms)....: 28.8,28.9,0.3,29.8,7.0,0.2,36.6,0.5,0.5,13.6,0.3,42.3,0.0,0.2,0.0,28.6,0.0,627.9,1.2,629.0,0.1,0.2,0.3,0.1,0.3,0.3,1.1,131.1,160.1,5.6,0.1]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,66,772,66,146,816,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,717,66,1506,1506]
  detection-update: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe]
               new: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] 
@@ -31,7 +31,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0]
-                   [IATS(ms)....: 28.5,28.6,0.6,28.4,2.8,30.5,2.0,28.4,0.1,26.4,441.8,468.8,1.7,1.4,30.2,0.1,0.1,0.2,0.1,0.1,0.2,0.1,0.1,0.3,0.2,0.3,0.5,0.8,26.0,25.3,1.8,0.0]
+                   [IATS(ms)....: 28.5,28.6,0.6,28.4,2.8,30.5,2.0,28.4,0.1,26.4,441.8,468.8,1.7,1.4,30.2,0.1,0.1,0.2,0.1,0.1,0.2,0.1,0.1,0.3,0.2,0.3,0.5,0.8,26.0,25.3,1.8]
                    [PKTLENS.....: 78,74,66,701,66,326,66,146,66,369,66,783,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,66,1029,66,770]
  detection-update: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe]
  detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] [TLS][Web][Safe]
@@ -45,7 +45,7 @@
                    [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 26.8,26.8,1.3,28.2,6.8,1.3,0.0,35.0,0.0,0.4,0.3,27.6,0.0,26.9,1.4,1.4,1.1,0.0,1.1,0.1,0.2,0.2,0.4,0.1,0.1,0.0,0.3,0.0,0.7,1.7,0.0,0.0]
+                   [IATS(ms)....: 26.8,26.8,1.3,28.2,6.8,1.3,0.0,35.0,0.0,0.4,0.3,27.6,0.0,26.9,1.4,1.4,1.1,0.0,1.1,0.1,0.2,0.2,0.4,0.1,0.1,0.0,0.3,0.0,0.7,1.7]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,772,66,66,146,772,66,369,66,66,369,66,1506,1506,66,66,1506,1506,66,1506,1506,412,66,66,66,820]
  detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe]
           analyse: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] 
@@ -55,7 +55,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 29.3,29.3,0.9,29.0,2.5,30.7,0.6,0.3,26.2,1.1,2.3,28.7,1.8,0.2,2.0,0.4,0.5,0.9,0.1,0.1,0.2,0.1,0.1,0.3,0.1,0.9,26.9,0.1,26.2,1.5,0.1,0.0]
+                   [IATS(ms)....: 29.3,29.3,0.9,29.0,2.5,30.7,0.6,0.3,26.2,1.1,2.3,28.7,1.8,0.2,2.0,0.4,0.5,0.9,0.1,0.1,0.2,0.1,0.1,0.3,0.1,0.9,26.9,0.1,26.2,1.5,0.1]
                    [PKTLENS.....: 78,74,66,701,66,326,66,146,772,66,66,369,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,1506,66,1506,1506]
  detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] [TLS][Web][Safe]
           analyse: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] 
@@ -65,7 +65,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 28.7,28.7,1.3,29.9,9.6,0.1,0.0,38.3,0.0,0.5,0.2,28.0,0.1,0.1,0.0,27.5,0.0,1.2,1.3,2.5,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.2,0.4,0.4,25.3,0.0]
+                   [IATS(ms)....: 28.7,28.7,1.3,29.9,9.6,0.1,0.0,38.3,0.0,0.5,0.2,28.0,0.1,0.1,0.0,27.5,0.0,1.2,1.3,2.5,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.2,0.4,0.4,25.3]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,772,66,66,146,772,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,66,1506]
  detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe]
           analyse: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] 
@@ -75,7 +75,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]
-                   [IATS(ms)....: 29.8,29.8,1.1,30.0,2.5,31.5,0.4,0.2,32.0,0.0,0.0,31.5,1.0,0.1,1.1,0.1,0.2,0.1,0.1,0.1,0.1,0.2,0.5,0.1,0.6,0.1,1.5,27.3,0.1,26.1,4.6,0.0]
+                   [IATS(ms)....: 29.8,29.8,1.1,30.0,2.5,31.5,0.4,0.2,32.0,0.0,0.0,31.5,1.0,0.1,1.1,0.1,0.2,0.1,0.1,0.1,0.1,0.2,0.5,0.1,0.6,0.1,1.5,27.3,0.1,26.1,4.6]
                    [PKTLENS.....: 78,74,66,701,66,326,66,146,772,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,799,66,775]
  detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] [TLS][Web][Safe]
               end: [.....1] [ip4][..tcp] [..192.168.1.178][64393] -> [...146.48.58.18][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/citrix.pcap.out b/test/results/flow-info/citrix.pcap.out
index 7e9427cbe..fec2906b5 100644
--- a/test/results/flow-info/citrix.pcap.out
+++ b/test/results/flow-info/citrix.pcap.out
@@ -8,7 +8,7 @@
                    [BINS(c->s)..: 5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0]
-                   [IATS(ms)....: 2.1,2.1,6.1,6.1,4.1,7.1,1.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,1.0,0.0,56.3,46.1,4.1,4.1,0.0]
+                   [IATS(ms)....: 2.1,2.1,6.1,6.1,4.1,7.1,1.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,1.0,0.0,56.3,46.1,4.1,4.1]
                    [PKTLENS.....: 64,64,64,64,64,76,212,121,101,102,105,401,97,225,109,147,117,111,109,117,112,97,97,97,114,117,111,109,142,64,64,64]
              idle: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/coap_mqtt.pcap.out b/test/results/flow-info/coap_mqtt.pcap.out
index d15c9625f..9e991ac3c 100644
--- a/test/results/flow-info/coap_mqtt.pcap.out
+++ b/test/results/flow-info/coap_mqtt.pcap.out
@@ -52,7 +52,7 @@
                    [BINS(c->s)..: 11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1]
-                   [IATS(ms)....: 0.1,0.2,4.6,4.9,1.0,9.3,9.1,2.8,3.5,0.5,2.4,21.8,23.4,198.7,4438.9,4242.4,38.5,37.9,0.5,2.3,62.5,65.0,1.2,38.7,37.8,0.5,2.8,66.7,69.7,1.1,39.4,0.0]
+                   [IATS(ms)....: 0.1,0.2,4.6,4.9,1.0,9.3,9.1,2.8,3.5,0.5,2.4,21.8,23.4,198.7,4438.9,4242.4,38.5,37.9,0.5,2.3,62.5,65.0,1.2,38.7,37.8,0.5,2.8,66.7,69.7,1.1,39.4]
                    [PKTLENS.....: 66,66,60,73,54,58,114,58,69,59,138,60,114,58,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54]
           analyse: [.....9] [ip4][..tcp] [...192.168.56.1][53522] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -61,7 +61,7 @@
                    [BINS(c->s)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]
-                   [IATS(ms)....: 0.7,199.1,27505.9,27310.4,42.7,40.0,0.1,0.5,60.4,61.2,1.6,38.9,37.7,0.6,2.9,66.3,69.5,1.2,39.6,39.1,1.0,2.4,62.7,65.3,1.8,40.5,38.7,0.2,6.2,66.7,73.1,0.0]
+                   [IATS(ms)....: 0.7,199.1,27505.9,27310.4,42.7,40.0,0.1,0.5,60.4,61.2,1.6,38.9,37.7,0.6,2.9,66.3,69.5,1.2,39.6,39.1,1.0,2.4,62.7,65.3,1.8,40.5,38.7,0.2,6.2,66.7,73.1]
                    [PKTLENS.....: 60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]
           analyse: [....10] [ip4][..tcp] [...192.168.56.1][53523] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -70,7 +70,7 @@
                    [BINS(c->s)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]
-                   [IATS(ms)....: 0.4,199.9,13150.8,12952.3,38.6,38.0,0.5,2.1,62.6,65.0,1.0,38.8,38.1,0.5,2.6,66.8,69.6,1.2,39.5,39.1,1.0,2.4,62.9,65.5,0.8,40.2,39.5,0.2,5.6,67.5,73.2,0.0]
+                   [IATS(ms)....: 0.4,199.9,13150.8,12952.3,38.6,38.0,0.5,2.1,62.6,65.0,1.0,38.8,38.1,0.5,2.6,66.8,69.6,1.2,39.5,39.1,1.0,2.4,62.9,65.5,0.8,40.2,39.5,0.2,5.6,67.5,73.2]
                    [PKTLENS.....: 60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]
           analyse: [....13] [ip4][..tcp] [.192.168.56.101][17501] -> [...192.168.56.1][53524] [MQTT][RPC][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -79,7 +79,7 @@
                    [BINS(c->s)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1]
-                   [IATS(ms)....: 2.0,38.6,37.1,0.5,2.4,62.3,64.9,0.8,38.7,38.1,0.5,2.3,67.3,69.7,0.7,39.4,39.5,0.9,2.3,63.2,65.6,1.6,40.3,38.7,0.2,6.1,67.2,73.5,2.5,42.4,39.9,0.0]
+                   [IATS(ms)....: 2.0,38.6,37.1,0.5,2.4,62.3,64.9,0.8,38.7,38.1,0.5,2.3,67.3,69.7,0.7,39.4,39.5,0.9,2.3,63.2,65.6,1.6,40.3,38.7,0.2,6.1,67.2,73.5,2.5,42.4,39.9]
                    [PKTLENS.....: 140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114]
               new: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] 
          detected: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
@@ -90,7 +90,7 @@
                    [BINS(c->s)..: 0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 1.8,103.9,104.0,109.0,108.5,105.4,105.9,113.8,113.7,106.8,107.1,109.4,109.0,108.9,116.0,117.8,112.3,110.6,110.8,109.9,107.9,108.0,108.0,113.1,114.0,110.8,110.4,107.4,111.2,109.5,105.1,0.0]
+                   [IATS(ms)....: 1.8,103.9,104.0,109.0,108.5,105.4,105.9,113.8,113.7,106.8,107.1,109.4,109.0,108.9,116.0,117.8,112.3,110.6,110.8,109.9,107.9,108.0,108.0,113.1,114.0,110.8,110.4,107.4,111.2,109.5,105.1]
                    [PKTLENS.....: 138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]
               new: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] 
          detected: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
@@ -101,7 +101,7 @@
                    [BINS(c->s)..: 0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 2.4,112.9,114.3,107.8,108.1,108.0,108.0,109.5,111.4,119.1,118.3,117.0,117.0,127.7,125.1,114.0,113.0,120.2,120.9,111.5,111.3,105.6,107.8,113.8,112.0,122.6,125.5,113.0,110.0,123.5,125.7,0.0]
+                   [IATS(ms)....: 2.4,112.9,114.3,107.8,108.1,108.0,108.0,109.5,111.4,119.1,118.3,117.0,117.0,127.7,125.1,114.0,113.0,120.2,120.9,111.5,111.3,105.6,107.8,113.8,112.0,122.6,125.5,113.0,110.0,123.5,125.7]
                    [PKTLENS.....: 137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]
               new: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] 
          detected: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
@@ -112,7 +112,7 @@
                    [BINS(c->s)..: 0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 1.3,105.0,107.1,122.6,124.6,114.9,120.4,119.7,111.5,123.9,123.0,105.4,109.4,122.9,120.1,118.0,119.4,130.1,131.4,131.3,129.0,120.1,121.3,112.3,114.8,128.9,125.5,128.0,127.0,125.1,128.5,0.0]
+                   [IATS(ms)....: 1.3,105.0,107.1,122.6,124.6,114.9,120.4,119.7,111.5,123.9,123.0,105.4,109.4,122.9,120.1,118.0,119.4,130.1,131.4,131.3,129.0,120.1,121.3,112.3,114.8,128.9,125.5,128.0,127.0,125.1,128.5]
                    [PKTLENS.....: 139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]
           analyse: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -121,7 +121,7 @@
                    [BINS(c->s)..: 0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 5.1,140.5,139.4,127.3,129.3,138.0,134.5,137.7,141.2,137.9,138.6,132.6,133.3,132.1,136.8,172.3,164.6,137.8,136.7,122.3,121.6,117.1,118.7,128.8,133.2,115.5,110.1,123.6,124.5,106.7,105.6,0.0]
+                   [IATS(ms)....: 5.1,140.5,139.4,127.3,129.3,138.0,134.5,137.7,141.2,137.9,138.6,132.6,133.3,132.1,136.8,172.3,164.6,137.8,136.7,122.3,121.6,117.1,118.7,128.8,133.2,115.5,110.1,123.6,124.5,106.7,105.6]
                    [PKTLENS.....: 141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]
              idle: [....12] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
              idle: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
diff --git a/test/results/flow-info/collectd.pcap.out b/test/results/flow-info/collectd.pcap.out
index 8ca67a843..87a17d965 100644
--- a/test/results/flow-info/collectd.pcap.out
+++ b/test/results/flow-info/collectd.pcap.out
@@ -40,7 +40,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 9999.0,10000.5,9999.5,9999.9,9999.9,0.5,10000.0,10000.1,9999.7,10000.0,9999.9,10000.0,0.4,9999.8,9999.9,10000.1,9999.9,9999.8,10000.1,0.8,9999.6,9999.6,10000.2,10000.1,9999.9,9999.7,0.6,10000.1,9999.2,10000.4,9999.9,0.0]
+                   [IATS(ms)....: 9999.0,10000.5,9999.5,9999.9,9999.9,0.5,10000.0,10000.1,9999.7,10000.0,9999.9,10000.0,0.4,9999.8,9999.9,10000.1,9999.9,9999.8,10000.1,0.8,9999.6,9999.6,10000.2,10000.1,9999.9,9999.7,0.6,10000.1,9999.2,10000.4,9999.9]
                    [PKTLENS.....: 1385,1365,1371,1361,1365,1355,1369,1388,1379,1385,1386,1380,1386,1368,1375,1376,1353,1371,1368,1353,1365,1364,1367,1370,1384,1361,1381,1383,1388,1355,1359,1376]
            update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable]
            update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable]
diff --git a/test/results/flow-info/dnp3.pcap.out b/test/results/flow-info/dnp3.pcap.out
index 3080954d2..0f717b2f7 100644
--- a/test/results/flow-info/dnp3.pcap.out
+++ b/test/results/flow-info/dnp3.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 0.2,0.4,1.6,151.6,2891.9,0.8,3043.1,21.2,212.0,120145.7,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.4,1.6,151.6,2891.9,0.8,3043.1,21.2,212.0,120145.7]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]
      DAEMON-EVENT: [Processed: 39 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]
-                   [IATS(ms)....: 0.2,0.4,1.5,181.2,17203.3,17487.3,4814.1,4907.0,3276.8,3079.9,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.4,1.5,181.2,17203.3,17487.3,4814.1,4907.0,3276.8,3079.9]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]
      DAEMON-EVENT: [Processed: 78 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -37,7 +37,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 0.2,0.4,1.5,145.0,996.9,0.8,1141.4,10.3,204.1,82989.4,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.4,1.5,145.0,996.9,0.8,1141.4,10.3,204.1,82989.4]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]
      DAEMON-EVENT: [Processed: 216 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 2 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -51,7 +51,7 @@
                    [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 0.2,0.4,75028.6,75076.4,0.5,48.2,0.6,153.0,35338.8,35569.8,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.4,75028.6,75076.4,0.5,48.2,0.6,153.0,35338.8,35569.8]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,69,69,69,71,71,71,71,71,71,60,60,60,77,77,77,60,60,60,72,72,72,71,71]
      DAEMON-EVENT: [Processed: 351 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 2 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -64,7 +64,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 0.1,0.3,1.3,168.6,2471.1,0.8,2639.4,99.8,232.2,15.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.1,0.3,1.3,168.6,2471.1,0.8,2639.4,99.8,232.2,15.3]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,78,78,78,60,60,60,71,71,71,60,60,60,79,79]
              idle: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable]
      DAEMON-EVENT: [Processed: 444 pkts][ZLib][compressions: 0|diff: 0 / 0]
@@ -85,7 +85,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0]
-                   [IATS(ms)....: 0.2,0.4,1.4,192.8,9227.0,9487.8,187.1,2636.4,2814.1,167.8,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.4,1.4,192.8,9227.0,9487.8,187.1,2636.4,2814.1,167.8]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,71,71,71,60,60,60,78,78,78,71,71,71,60,60]
      DAEMON-EVENT: [Processed: 504 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 2 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 1]
@@ -98,7 +98,7 @@
                    [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]
-                   [IATS(ms)....: 0.2,0.4,1.5,125.3,3672.1,3963.2,1744.3,1702.4,2163.8,2038.6,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.4,1.5,125.3,3672.1,3963.2,1744.3,1702.4,2163.8,2038.6]
                    [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]
               end: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable]
              idle: [.....6] [ip4][..tcp] [.......10.0.0.8][.1159] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable]
diff --git a/test/results/flow-info/dns-tunnel-iodine.pcap.out b/test/results/flow-info/dns-tunnel-iodine.pcap.out
index d8541a35b..618d7b867 100644
--- a/test/results/flow-info/dns-tunnel-iodine.pcap.out
+++ b/test/results/flow-info/dns-tunnel-iodine.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0]
-                   [IATS(ms)....: 0.1,0.9,1.1,5.8,5.7,0.4,0.3,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.3,0.6,0.4,0.2,0.3,0.5,0.4,0.2,0.2,1001.7,1002.3,1001.5,1003.0,1002.5,0.0]
+                   [IATS(ms)....: 0.1,0.9,1.1,5.8,5.7,0.4,0.3,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.3,0.6,0.4,0.2,0.3,0.5,0.4,0.2,0.2,1001.7,1002.3,1001.5,1003.0,1002.5]
                    [PKTLENS.....: 82,103,103,144,88,137,123,166,132,184,138,196,118,156,134,188,88,96,88,95,88,93,323,1092,323,1476,323,323,323,323,323,323]
              idle: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable]
                    RISK: Suspicious DNS Traffic
diff --git a/test/results/flow-info/dns_doh.pcap.out b/test/results/flow-info/dns_doh.pcap.out
index bfedf75bd..293c91776 100644
--- a/test/results/flow-info/dns_doh.pcap.out
+++ b/test/results/flow-info/dns_doh.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 87.1,87.2,1.8,92.2,0.0,0.0,90.4,0.5,1.5,0.9,26.1,0.9,0.1,0.1,102.7,7.8,0.0,0.0,83.4,0.0,17.9,147.6,535.3,0.7,88.8,0.1,525.4,0.0,10.7,0.0,0.0,0.0]
+                   [IATS(ms)....: 87.1,87.2,1.8,92.2,0.0,0.0,90.4,0.5,1.5,0.9,26.1,0.9,0.1,0.1,102.7,7.8,0.0,0.0,83.4,0.0,17.9,147.6,535.3,0.7,88.8,0.1,525.4,0.0,10.7,0.0]
                    [PKTLENS.....: 78,66,54,571,54,1354,1354,54,54,503,54,118,224,297,133,54,591,404,85,54,54,54,85,54,116,147,116,157,54,54,258,85]
              idle: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/dns_exfiltration.pcap.out b/test/results/flow-info/dns_exfiltration.pcap.out
index 985334158..b0b49f6f9 100644
--- a/test/results/flow-info/dns_exfiltration.pcap.out
+++ b/test/results/flow-info/dns_exfiltration.pcap.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 170.6,1035.5,866.5,1015.3,1015.6,4.6,4.0,1010.0,1010.4,1009.2,1009.1,1008.5,1008.4,1009.5,1009.4,1008.0,1008.1,1008.7,1008.6,1009.8,1009.8,1010.0,1010.1,1009.0,1008.9,1008.5,1008.4,1007.7,1007.8,1008.8,1008.7,0.0]
+                   [IATS(ms)....: 170.6,1035.5,866.5,1015.3,1015.6,4.6,4.0,1010.0,1010.4,1009.2,1009.1,1008.5,1008.4,1009.5,1009.4,1008.0,1008.1,1008.7,1008.6,1009.8,1009.8,1010.0,1010.1,1009.0,1008.9,1008.5,1008.4,1007.7,1007.8,1008.8,1008.7]
                    [PKTLENS.....: 215,386,166,286,136,193,101,148,101,148,101,156,101,148,101,158,101,158,101,156,101,148,101,158,101,158,101,158,101,148,101,148]
            update: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable]
                    RISK: Suspicious DGA Domain name, Risky Domain Name
diff --git a/test/results/flow-info/doq_adguard.pcapng.out b/test/results/flow-info/doq_adguard.pcapng.out
index baafcb075..cc2b34a0c 100644
--- a/test/results/flow-info/doq_adguard.pcapng.out
+++ b/test/results/flow-info/doq_adguard.pcapng.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1]
-                   [IATS(ms)....: 36.5,41.7,43.2,0.1,0.0,41.9,6.7,38.4,6.6,58.7,0.0,206.5,0.0,419.1,0.1,0.7,29.2,153.2,0.1,8.2,0.1,10.5,39.6,0.1,37.0,45.0,51.5,1830.4,0.1,0.0,1885.3,0.0]
+                   [IATS(ms)....: 36.5,41.7,43.2,0.1,0.0,41.9,6.7,38.4,6.6,58.7,0.0,206.5,0.0,419.1,0.1,0.7,29.2,153.2,0.1,8.2,0.1,10.5,39.6,0.1,37.0,45.0,51.5,1830.4,0.1,0.0,1885.3]
                    [PKTLENS.....: 1274,182,1274,1294,1294,1284,97,98,198,95,1284,1284,1284,1284,269,73,97,98,83,306,154,100,73,83,437,73,84,73,101,103,103,83]
              idle: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/dos_win98_smb_netbeui.pcap.out b/test/results/flow-info/dos_win98_smb_netbeui.pcap.out
index c84e2fe3d..47c71d3da 100644
--- a/test/results/flow-info/dos_win98_smb_netbeui.pcap.out
+++ b/test/results/flow-info/dos_win98_smb_netbeui.pcap.out
@@ -185,7 +185,7 @@
                    [BINS(c->s)..: 0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 0.5,0.1,39.0,710.2,0.1,0.0,39.5,709.8,0.1,0.0,40.3,710.1,0.1,0.1,40.0,760.7,749.9,749.1,750.1,96434.4,763.9,760.0,756.0,755.2,752.2,756.6,760.0,22000.9,749.9,749.9,755.0,0.0]
+                   [IATS(ms)....: 0.5,0.1,39.0,710.2,0.1,0.0,39.5,709.8,0.1,0.0,40.3,710.1,0.1,0.1,40.0,760.7,749.9,749.1,750.1,96434.4,763.9,760.0,756.0,755.2,752.2,756.6,760.0,22000.9,749.9,749.9,755.0]
                    [PKTLENS.....: 110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110]
              idle: [.....2] [ip4][.icmp] [192.168.239.129] -> [......224.0.0.2] [ICMP][Network][Acceptable]
              idle: [.....3] [ip4][..udp] [192.168.239.129][..137] -> [192.168.239.255][..137] [NetBIOS][System][Acceptable]
diff --git a/test/results/flow-info/drda_db2.pcap.out b/test/results/flow-info/drda_db2.pcap.out
index 158fe33d8..5dd8b4b7c 100644
--- a/test/results/flow-info/drda_db2.pcap.out
+++ b/test/results/flow-info/drda_db2.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0]
-                   [IATS(ms)....: 0.5,0.5,117.3,117.7,0.7,9.1,43.4,966.1,1129.7,349.3,477.6,7.5,71.6,64.4,182.7,413.2,622.4,30.3,5.5,2.6,0.5,1.6,2.0,1.6,1.1,154.3,17828.3,17986.1,9.9,7.0,168.4,0.0]
+                   [IATS(ms)....: 0.5,0.5,117.3,117.7,0.7,9.1,43.4,966.1,1129.7,349.3,477.6,7.5,71.6,64.4,182.7,413.2,622.4,30.3,5.5,2.6,0.5,1.6,2.0,1.6,1.1,154.3,17828.3,17986.1,9.9,7.0,168.4]
                    [PKTLENS.....: 62,62,54,229,54,161,318,54,295,54,717,54,524,64,108,54,296,684,144,65,64,108,322,455,64,108,54,383,466,64,108,54]
               end: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/dropbox.pcap.out b/test/results/flow-info/dropbox.pcap.out
index 815bd1f55..33bb4d167 100644
--- a/test/results/flow-info/dropbox.pcap.out
+++ b/test/results/flow-info/dropbox.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 1.8,103.9,104.0,109.0,108.5,105.4,105.9,113.8,113.7,106.8,107.1,109.4,109.0,108.9,116.0,117.8,112.3,110.6,110.8,109.9,107.9,108.0,108.0,113.1,114.0,110.8,110.4,107.4,111.2,109.5,105.1,0.0]
+                   [IATS(ms)....: 1.8,103.9,104.0,109.0,108.5,105.4,105.9,113.8,113.7,106.8,107.1,109.4,109.0,108.9,116.0,117.8,112.3,110.6,110.8,109.9,107.9,108.0,108.0,113.1,114.0,110.8,110.4,107.4,111.2,109.5,105.1]
                    [PKTLENS.....: 138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]
               new: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] 
          detected: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 2.4,112.9,114.3,107.8,108.1,108.0,108.0,109.5,111.4,119.1,118.3,117.0,117.0,127.7,125.1,114.0,113.0,120.2,120.9,111.5,111.3,105.6,107.8,113.8,112.0,122.6,125.5,113.0,110.0,123.5,125.7,0.0]
+                   [IATS(ms)....: 2.4,112.9,114.3,107.8,108.1,108.0,108.0,109.5,111.4,119.1,118.3,117.0,117.0,127.7,125.1,114.0,113.0,120.2,120.9,111.5,111.3,105.6,107.8,113.8,112.0,122.6,125.5,113.0,110.0,123.5,125.7]
                    [PKTLENS.....: 137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]
               new: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] 
          detected: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
@@ -34,7 +34,7 @@
                    [BINS(c->s)..: 0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 1.3,105.0,107.1,122.6,124.6,114.9,120.4,119.7,111.5,123.9,123.0,105.4,109.4,122.9,120.1,118.0,119.4,130.1,131.4,131.3,129.0,120.1,121.3,112.3,114.8,128.9,125.5,128.0,127.0,125.1,128.5,0.0]
+                   [IATS(ms)....: 1.3,105.0,107.1,122.6,124.6,114.9,120.4,119.7,111.5,123.9,123.0,105.4,109.4,122.9,120.1,118.0,119.4,130.1,131.4,131.3,129.0,120.1,121.3,112.3,114.8,128.9,125.5,128.0,127.0,125.1,128.5]
                    [PKTLENS.....: 139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]
           analyse: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -43,7 +43,7 @@
                    [BINS(c->s)..: 0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 5.1,140.5,139.4,127.3,129.3,138.0,134.5,137.7,141.2,137.9,138.6,132.6,133.3,132.1,136.8,172.3,164.6,137.8,136.7,122.3,121.6,117.1,118.7,128.8,133.2,115.5,110.1,123.6,124.5,106.7,105.6,0.0]
+                   [IATS(ms)....: 5.1,140.5,139.4,127.3,129.3,138.0,134.5,137.7,141.2,137.9,138.6,132.6,133.3,132.1,136.8,172.3,164.6,137.8,136.7,122.3,121.6,117.1,118.7,128.8,133.2,115.5,110.1,123.6,124.5,106.7,105.6]
                    [PKTLENS.....: 141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]
      DAEMON-EVENT: [Processed: 800 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
diff --git a/test/results/flow-info/emotet.pcap.out b/test/results/flow-info/emotet.pcap.out
index 69574f4bb..251633348 100644
--- a/test/results/flow-info/emotet.pcap.out
+++ b/test/results/flow-info/emotet.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0]
-                   [IATS(ms)....: 749.5,749.7,1106.3,1106.8,0.8,369.8,370.6,0.9,325.6,326.2,0.5,0.3,0.7,841.2,842.4,0.9,0.4,0.4,3054.7,3056.4,1.6,247.2,247.8,0.5,1205.1,1205.6,0.4,443.0,443.6,0.7,0.3,0.0]
+                   [IATS(ms)....: 749.5,749.7,1106.3,1106.8,0.8,369.8,370.6,0.9,325.6,326.2,0.5,0.3,0.7,841.2,842.4,0.9,0.4,0.4,3054.7,3056.4,1.6,247.2,247.8,0.5,1205.1,1205.6,0.4,443.0,443.6,0.7,0.3]
                    [PKTLENS.....: 66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752]
      DAEMON-EVENT: [Processed: 626 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 115.8,115.9,0.3,0.5,204.2,0.1,204.4,0.4,0.2,0.6,0.2,0.2,0.4,0.2,0.5,0.7,0.2,0.2,0.5,115.0,0.2,115.3,0.3,0.3,0.6,9.2,0.2,9.5,0.5,0.2,0.7,0.0]
+                   [IATS(ms)....: 115.8,115.9,0.3,0.5,204.2,0.1,204.4,0.4,0.2,0.6,0.2,0.2,0.4,0.2,0.5,0.7,0.2,0.2,0.5,115.0,0.2,115.3,0.3,0.3,0.6,9.2,0.2,9.5,0.5,0.2,0.7]
                    [PKTLENS.....: 66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54]
               end: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
      DAEMON-EVENT: [Processed: 834 pkts][ZLib][compressions: 0|diff: 0 / 0]
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 97.3,97.5,0.4,260.9,260.4,3.2,3.2,9.5,9.5,6.2,0.1,6.3,0.1,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.0,2.6,2.7,60.6,60.7,9.9,9.8,15.1,15.1,12.9,12.9,0.0]
+                   [IATS(ms)....: 97.3,97.5,0.4,260.9,260.4,3.2,3.2,9.5,9.5,6.2,0.1,6.3,0.1,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.0,2.6,2.7,60.6,60.7,9.9,9.8,15.1,15.1,12.9,12.9]
                    [PKTLENS.....: 66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60]
               end: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
      DAEMON-EVENT: [Processed: 1663 pkts][ZLib][compressions: 0|diff: 0 / 0]
@@ -56,7 +56,7 @@
                    [BINS(c->s)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0]
-                   [IATS(ms)....: 184.2,184.5,0.2,171.8,120.6,0.1,0.1,292.2,2.7,0.1,0.1,0.1,2.9,2.7,0.1,0.1,3.0,164.7,0.1,0.1,164.8,2.8,0.1,0.1,3.0,2.9,0.1,0.1,0.2,3.2,0.1,0.0]
+                   [IATS(ms)....: 184.2,184.5,0.2,171.8,120.6,0.1,0.1,292.2,2.7,0.1,0.1,0.1,2.9,2.7,0.1,0.1,3.0,164.7,0.1,0.1,164.8,2.8,0.1,0.1,3.0,2.9,0.1,0.1,0.2,3.2,0.1]
                    [PKTLENS.....: 66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60]
               end: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
                    RISK: Binary App Transfer
@@ -72,7 +72,7 @@
                    [BINS(c->s)..: 11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1]
-                   [IATS(ms)....: 109.4,109.6,14.1,123.8,13.2,122.9,52.7,132.9,80.3,6.5,151.9,1117.1,0.1,0.2,1262.5,0.1,2.9,0.1,3.1,96.9,0.1,96.9,3.1,0.1,0.2,0.1,3.3,0.1,2.9,0.1,0.0,0.0]
+                   [IATS(ms)....: 109.4,109.6,14.1,123.8,13.2,122.9,52.7,132.9,80.3,6.5,151.9,1117.1,0.1,0.2,1262.5,0.1,2.9,0.1,3.1,96.9,0.1,96.9,3.1,0.1,0.2,0.1,3.3,0.1,2.9,0.1]
                    [PKTLENS.....: 66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442]
  detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                    RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
diff --git a/test/results/flow-info/ethereum.pcap.out b/test/results/flow-info/ethereum.pcap.out
index 5505359a5..6fd239ca7 100644
--- a/test/results/flow-info/ethereum.pcap.out
+++ b/test/results/flow-info/ethereum.pcap.out
@@ -62,7 +62,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 42.9,43.0,2.2,63.5,0.8,0.0,62.1,0.0,0.4,0.3,0.4,0.4,0.1,0.0,0.1,0.0,0.1,0.2,0.3,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,27.6,0.0,0.0]
+                   [IATS(ms)....: 42.9,43.0,2.2,63.5,0.8,0.0,62.1,0.0,0.4,0.3,0.4,0.4,0.1,0.0,0.1,0.0,0.1,0.2,0.3,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,27.6,0.0]
                    [PKTLENS.....: 78,74,66,561,66,514,98,66,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]
               new: [....27] [ip4][..tcp] [..192.168.1.184][56630] -> [..40.67.144.128][30303] 
          detected: [....24] [ip4][..tcp] [..192.168.1.184][56628] -> [....3.209.45.79][30303] [Mining][Mining][Unsafe]
@@ -74,7 +74,7 @@
                    [BINS(c->s)..: 14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1]
-                   [IATS(ms)....: 42.9,43.0,1.9,62.9,2.0,0.0,0.0,0.0,0.0,63.0,0.0,0.0,0.0,0.1,0.1,0.0,1.3,0.0,0.1,0.0,0.1,0.4,0.0,0.0,0.0,0.1,32.2,0.0,0.0,30.2,0.8,0.0]
+                   [IATS(ms)....: 42.9,43.0,1.9,62.9,2.0,0.0,0.0,0.0,0.0,63.0,0.0,0.0,0.0,0.1,0.1,0.0,1.3,0.0,0.1,0.0,0.1,0.4,0.0,0.0,0.0,0.1,32.2,0.0,0.0,30.2,0.8]
                    [PKTLENS.....: 78,74,66,612,66,470,98,67,222,69,66,66,66,66,82,66,66,98,67,190,69,82,98,67,114,81,82,78,78,78,338,78]
          detected: [.....9] [ip4][..tcp] [..192.168.1.184][56612] -> [...66.42.82.246][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -94,7 +94,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 70.0,70.2,1.4,62.1,2.1,0.0,0.0,0.0,0.0,0.0,62.7,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.6,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.1,0.0,63.7,0.0,0.0]
+                   [IATS(ms)....: 70.0,70.2,1.4,62.1,2.1,0.0,0.0,0.0,0.0,0.0,62.7,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.6,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.1,0.0,63.7,0.0]
                    [PKTLENS.....: 78,74,66,578,66,468,98,67,68,79,82,66,66,66,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]
               new: [....31] [ip4][..udp] [..192.168.1.184][30303] -> [..111.229.0.180][20182] 
          detected: [....31] [ip4][..udp] [..192.168.1.184][30303] -> [..111.229.0.180][20182] [Mining][Mining][Unsafe]
@@ -113,7 +113,7 @@
                    [BINS(c->s)..: 15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 36.4,36.5,1.5,44.0,0.5,0.0,0.1,0.0,0.0,43.1,0.0,0.0,0.0,0.0,0.7,0.0,0.1,0.0,0.0,0.1,0.1,0.1,0.0,0.0,0.0,72.9,0.0,0.0,0.7,0.0,0.0,0.0]
+                   [IATS(ms)....: 36.4,36.5,1.5,44.0,0.5,0.0,0.1,0.0,0.0,43.1,0.0,0.0,0.0,0.0,0.7,0.0,0.1,0.0,0.0,0.1,0.1,0.1,0.0,0.0,0.0,72.9,0.0,0.0,0.7,0.0,0.0]
                    [PKTLENS.....: 78,74,66,487,66,406,98,67,68,95,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60]
          detected: [....16] [ip4][..tcp] [..192.168.1.184][56620] -> [191.234.162.198][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -140,7 +140,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 68.5,68.6,1.4,78.1,1.9,0.1,78.6,0.0,0.2,0.0,0.0,0.2,0.0,0.0,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,67.2,0.0,0.0]
+                   [IATS(ms)....: 68.5,68.6,1.4,78.1,1.9,0.1,78.6,0.0,0.2,0.0,0.0,0.2,0.0,0.0,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,67.2,0.0]
                    [PKTLENS.....: 78,74,66,545,66,505,98,66,66,67,68,79,66,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]
           analyse: [....30] [ip4][..tcp] [..192.168.1.184][56633] -> [.82.145.220.249][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -149,7 +149,7 @@
                    [BINS(c->s)..: 13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 74.2,74.3,1.2,77.3,76.1,0.7,0.0,0.6,0.0,0.2,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,52.0,0.0,0.2,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 74.2,74.3,1.2,77.3,76.1,0.7,0.0,0.6,0.0,0.2,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,52.0,0.0,0.2,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.1]
                    [PKTLENS.....: 78,74,66,508,488,66,98,98,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60,60]
               new: [....35] [ip4][..tcp] [..192.168.1.184][56637] -> [.35.233.197.131][30303] 
               new: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] 
@@ -166,7 +166,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 134.4,134.5,2.0,164.5,0.7,163.1,0.2,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.2,0.2,0.4,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,112.9,0.0,0.0]
+                   [IATS(ms)....: 134.4,134.5,2.0,164.5,0.7,163.1,0.2,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.2,0.2,0.4,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,112.9,0.0]
                    [PKTLENS.....: 78,74,66,461,66,536,66,98,67,66,66,68,79,82,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]
          detected: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -182,7 +182,7 @@
                    [BINS(c->s)..: 13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1]
-                   [IATS(ms)....: 32.6,32.7,1.1,41.2,3.0,43.1,1.1,0.0,0.1,0.0,0.0,2.2,0.0,0.0,1.1,0.0,0.0,0.1,0.1,0.4,0.0,0.0,0.0,0.1,33.8,0.0,0.0,0.0,33.3,0.0,0.1,0.0]
+                   [IATS(ms)....: 32.6,32.7,1.1,41.2,3.0,43.1,1.1,0.0,0.1,0.0,0.0,2.2,0.0,0.0,1.1,0.0,0.0,0.1,0.1,0.4,0.0,0.0,0.0,0.1,33.8,0.0,0.0,0.0,33.3,0.0,0.1]
                    [PKTLENS.....: 78,74,66,481,66,560,66,98,67,190,69,82,98,67,209,66,66,66,82,66,98,67,114,81,82,78,78,78,78,226,178,66]
               new: [....42] [ip4][..tcp] [..192.168.1.184][56644] -> [..13.230.108.42][30303] 
          detected: [....39] [ip4][..tcp] [..192.168.1.184][56641] -> [.144.91.120.135][30303] [Mining][Mining][Unsafe]
@@ -194,7 +194,7 @@
                    [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 158.1,158.1,1.9,112.7,1.0,0.0,111.8,0.0,0.1,0.0,0.1,0.0,0.9,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,111.1,0.0,0.8,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 158.1,158.1,1.9,112.7,1.0,0.0,111.8,0.0,0.1,0.0,0.1,0.0,0.9,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,111.1,0.0,0.8,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 78,74,66,497,66,489,98,66,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]
               new: [....43] [ip4][..tcp] [..192.168.1.184][56645] -> [.185.219.133.62][30303] 
          detected: [....38] [ip4][..tcp] [..192.168.1.184][56639] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe]
@@ -214,7 +214,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 195.0,195.1,1.2,202.3,0.3,0.0,201.3,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.1,0.1,0.6,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,175.4,0.4,0.0]
+                   [IATS(ms)....: 195.0,195.1,1.2,202.3,0.3,0.0,201.3,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.1,0.1,0.6,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,175.4,0.4]
                    [PKTLENS.....: 78,74,66,556,66,533,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]
          detected: [....44] [ip4][..tcp] [..192.168.1.184][56646] -> [..172.105.94.62][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -225,7 +225,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 107.6,107.7,1.5,109.0,1.8,109.4,0.7,0.0,0.1,0.0,0.1,1.0,0.2,0.1,0.1,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.0,0.0,0.1,0.0,0.0,0.0,107.1,0.0,0.0]
+                   [IATS(ms)....: 107.6,107.7,1.5,109.0,1.8,109.4,0.7,0.0,0.1,0.0,0.1,1.0,0.2,0.1,0.1,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.0,0.0,0.1,0.0,0.0,0.0,107.1,0.0]
                    [PKTLENS.....: 78,74,66,637,66,579,66,98,67,190,69,82,98,66,67,66,68,66,79,82,66,66,98,66,67,66,68,79,82,66,60,60]
               new: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] 
               new: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] 
@@ -236,7 +236,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1]
-                   [IATS(ms)....: 44.4,44.5,1.1,47.4,2.6,0.0,48.9,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.6,0.0,0.1,0.0,0.1,0.4,0.0,0.0,0.0,0.1,43.3,0.5,42.7,0.2,0.0,0.0]
+                   [IATS(ms)....: 44.4,44.5,1.1,47.4,2.6,0.0,48.9,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.6,0.0,0.1,0.0,0.1,0.4,0.0,0.0,0.0,0.1,43.3,0.5,42.7,0.2,0.0]
                    [PKTLENS.....: 78,74,66,535,66,384,98,66,66,67,66,191,68,66,66,82,66,98,67,190,69,82,98,67,114,81,82,66,98,66,67,70]
               new: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] 
          detected: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] [Mining][Mining][Unsafe]
@@ -252,7 +252,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1]
-                   [IATS(ms)....: 47.2,47.4,1.6,49.5,3.7,51.6,0.8,0.0,1.0,0.1,0.0,0.0,0.0,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.4,0.0,0.0,0.0,0.1,45.6,1.1,0.0,46.3,0.1,0.0]
+                   [IATS(ms)....: 47.2,47.4,1.6,49.5,3.7,51.6,0.8,0.0,1.0,0.1,0.0,0.0,0.0,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.4,0.0,0.0,0.0,0.1,45.6,1.1,0.0,46.3,0.1]
                    [PKTLENS.....: 78,74,66,476,66,448,66,98,67,98,190,66,69,82,67,66,222,66,69,66,82,66,98,67,114,81,82,66,66,98,66,67]
               new: [....51] [ip4][..tcp] [..192.168.1.184][56655] -> [.202.112.28.106][30303] 
          detected: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] [Mining][Mining][Unsafe]
@@ -266,7 +266,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 261.7,261.8,1.5,222.8,0.1,0.0,0.0,221.3,0.0,0.0,0.2,0.0,0.2,0.0,0.1,0.0,0.1,0.0,0.6,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,211.4,0.0,0.0]
+                   [IATS(ms)....: 261.7,261.8,1.5,222.8,0.1,0.0,0.0,221.3,0.0,0.0,0.2,0.0,0.2,0.0,0.1,0.0,0.1,0.0,0.6,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,211.4,0.0]
                    [PKTLENS.....: 78,74,66,516,66,519,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]
           analyse: [....16] [ip4][..tcp] [..192.168.1.184][56620] -> [191.234.162.198][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -275,7 +275,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 263.1,263.2,1.3,221.8,0.2,0.0,0.0,220.8,0.0,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.7,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,212.6,0.2,0.0]
+                   [IATS(ms)....: 263.1,263.2,1.3,221.8,0.2,0.0,0.0,220.8,0.0,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.7,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,212.6,0.2]
                    [PKTLENS.....: 78,74,66,578,66,525,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]
          detected: [....49] [ip4][..tcp] [..192.168.1.184][56654] -> [..85.214.108.52][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -288,7 +288,7 @@
                    [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 32.6,32.6,1.2,33.9,3.9,36.5,0.4,0.4,0.1,0.1,0.1,0.1,0.4,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,31.1,0.1,0.0,0.1,0.0,0.6,0.1,0.0,0.0]
+                   [IATS(ms)....: 32.6,32.6,1.2,33.9,3.9,36.5,0.4,0.4,0.1,0.1,0.1,0.1,0.4,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,31.1,0.1,0.0,0.1,0.0,0.6,0.1,0.0]
                    [PKTLENS.....: 78,74,66,483,66,393,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]
           analyse: [....44] [ip4][..tcp] [..192.168.1.184][56646] -> [..172.105.94.62][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -297,7 +297,7 @@
                    [BINS(c->s)..: 14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0]
-                   [IATS(ms)....: 25.5,25.6,1.2,25.9,91.4,116.0,0.8,0.0,0.1,0.0,0.0,24.5,23.6,0.4,0.0,0.0,0.0,0.7,0.1,0.7,0.0,0.0,0.0,23.3,0.0,24.1,0.2,0.3,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 25.5,25.6,1.2,25.9,91.4,116.0,0.8,0.0,0.1,0.0,0.0,24.5,23.6,0.4,0.0,0.0,0.0,0.7,0.1,0.7,0.0,0.0,0.0,23.3,0.0,24.1,0.2,0.3,0.0,0.0,0.0]
                    [PKTLENS.....: 78,74,66,540,66,398,66,98,67,190,69,82,306,66,98,67,114,81,66,82,66,66,66,66,274,66,66,98,66,67,69,78]
           analyse: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -306,7 +306,7 @@
                    [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 32.8,32.8,1.3,33.9,2.4,35.0,0.3,0.2,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,32.6,0.0,0.1,0.1,0.1,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 32.8,32.8,1.3,33.9,2.4,35.0,0.3,0.2,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,32.6,0.0,0.1,0.1,0.1,0.0,0.0,0.1]
                    [PKTLENS.....: 78,74,66,597,66,494,66,98,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]
               new: [....54] [ip4][..tcp] [..192.168.1.184][56660] -> [...51.161.23.12][30303] 
               new: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] 
@@ -319,7 +319,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1]
-                   [IATS(ms)....: 157.7,157.8,1.6,152.9,8.1,159.4,1.2,0.0,0.1,0.0,0.1,1.9,0.0,0.5,0.0,0.1,0.0,0.1,0.0,0.1,0.1,0.2,0.0,0.1,0.0,0.0,0.0,0.7,0.4,149.7,0.6,0.0]
+                   [IATS(ms)....: 157.7,157.8,1.6,152.9,8.1,159.4,1.2,0.0,0.1,0.0,0.1,1.9,0.0,0.5,0.0,0.1,0.0,0.1,0.0,0.1,0.1,0.2,0.0,0.1,0.0,0.0,0.0,0.7,0.4,149.7,0.6]
                    [PKTLENS.....: 78,74,66,479,66,471,66,98,67,190,69,82,98,67,66,66,68,79,66,66,82,66,98,67,68,79,82,66,66,66,66,60]
           analyse: [....38] [ip4][..tcp] [..192.168.1.184][56639] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -328,7 +328,7 @@
                    [BINS(c->s)..: 16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 130.8,130.9,1.3,122.8,1.3,122.7,0.2,0.0,0.1,0.0,0.1,0.1,0.1,0.1,0.1,0.1,0.3,0.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,121.1,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 130.8,130.9,1.3,122.8,1.3,122.7,0.2,0.0,0.1,0.0,0.1,0.1,0.1,0.1,0.1,0.1,0.3,0.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,121.1,0.0,0.0,0.0]
                    [PKTLENS.....: 78,74,66,587,66,556,66,98,67,66,66,81,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60]
           analyse: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -337,7 +337,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1]
-                   [IATS(ms)....: 56.8,56.9,1.6,56.4,2.3,57.1,0.5,0.5,0.1,0.0,0.1,0.0,0.2,0.0,0.1,0.0,0.0,1.1,0.9,0.4,0.0,0.0,0.0,0.1,56.5,0.0,0.0,55.9,0.0,1.8,0.0,0.0]
+                   [IATS(ms)....: 56.8,56.9,1.6,56.4,2.3,57.1,0.5,0.5,0.1,0.0,0.1,0.0,0.2,0.0,0.1,0.0,0.0,1.1,0.9,0.4,0.0,0.0,0.0,0.1,56.5,0.0,0.0,55.9,0.0,1.8,0.0]
                    [PKTLENS.....: 78,74,66,528,66,508,66,98,66,209,67,66,66,98,67,190,69,82,82,66,98,67,114,81,82,66,98,148,66,66,96,66]
           analyse: [....18] [ip4][..tcp] [..192.168.1.184][56622] -> [..18.138.108.67][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -346,7 +346,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 300.4,300.4,1.7,253.4,0.7,0.0,252.4,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,252.8,0.0,0.0]
+                   [IATS(ms)....: 300.4,300.4,1.7,253.4,0.7,0.0,252.4,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,252.8,0.0]
                    [PKTLENS.....: 78,74,66,597,66,384,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]
           analyse: [....19] [ip4][..tcp] [..192.168.1.184][56623] -> [...18.138.81.28][30303] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -355,7 +355,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1]
-                   [IATS(ms)....: 308.0,308.1,2.1,260.3,1.6,259.8,0.5,0.5,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,2.3,1.9,254.5,0.0,0.0]
+                   [IATS(ms)....: 308.0,308.1,2.1,260.3,1.6,259.8,0.5,0.5,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,2.3,1.9,254.5,0.0]
                    [PKTLENS.....: 78,74,66,537,66,488,66,98,66,67,68,66,66,79,82,66,66,98,67,190,69,82,98,67,68,79,82,66,66,66,66,60]
               new: [....58] [ip4][..udp] [183.129.242.164][.1024] -> [..192.168.1.184][30303] 
          detected: [....58] [ip4][..udp] [183.129.242.164][.1024] -> [..192.168.1.184][30303] [Mining][Mining][Unsafe]
@@ -371,7 +371,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1]
-                   [IATS(ms)....: 339.2,339.3,1.3,287.2,2.5,288.4,1.0,0.0,1.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.0,0.1,0.6,0.3,285.6,0.0,0.0]
+                   [IATS(ms)....: 339.2,339.3,1.3,287.2,2.5,288.4,1.0,0.0,1.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.0,0.1,0.6,0.3,285.6,0.0]
                    [PKTLENS.....: 78,74,66,640,66,462,66,98,67,66,66,98,67,68,79,190,66,69,66,82,82,66,98,67,68,79,82,66,66,66,60,60]
          detected: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -389,7 +389,7 @@
                    [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 354.5,354.6,1.5,316.9,1.3,316.7,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.3,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,313.9,0.3,0.0]
+                   [IATS(ms)....: 354.5,354.6,1.5,316.9,1.3,316.7,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.3,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,313.9,0.3]
                    [PKTLENS.....: 78,74,66,591,66,517,66,98,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]
               new: [....60] [ip4][..udp] [..192.168.1.184][30303] -> [..106.12.39.168][30333] 
          detected: [....60] [ip4][..udp] [..192.168.1.184][30303] -> [..106.12.39.168][30333] [Mining][Mining][Unsafe]
@@ -413,7 +413,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1]
-                   [IATS(ms)....: 139.3,139.4,1.7,141.7,7.2,147.3,0.8,0.0,0.1,0.0,0.1,6.7,5.8,0.3,0.2,0.7,0.0,0.0,0.8,0.0,0.0,0.4,0.0,0.0,0.0,0.0,130.0,0.2,0.8,130.5,0.3,0.0]
+                   [IATS(ms)....: 139.3,139.4,1.7,141.7,7.2,147.3,0.8,0.0,0.1,0.0,0.1,6.7,5.8,0.3,0.2,0.7,0.0,0.0,0.8,0.0,0.0,0.4,0.0,0.0,0.0,0.0,130.0,0.2,0.8,130.5,0.3]
                    [PKTLENS.....: 78,74,66,639,66,487,66,98,67,190,69,82,98,66,67,66,216,75,82,66,66,66,98,67,114,81,82,66,66,98,66,67]
               new: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] 
               new: [....64] [ip4][..tcp] [..192.168.1.184][56673] -> [..78.47.147.155][30303] 
@@ -424,7 +424,7 @@
                    [BINS(c->s)..: 17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 39.1,39.2,1.5,38.4,0.4,37.3,0.8,0.0,0.0,0.0,0.1,39.2,38.3,0.3,0.3,0.6,0.0,0.0,0.0,0.1,30.7,30.6,0.3,0.2,0.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0]
+                   [IATS(ms)....: 39.1,39.2,1.5,38.4,0.4,37.3,0.8,0.0,0.0,0.0,0.1,39.2,38.3,0.3,0.3,0.6,0.0,0.0,0.0,0.1,30.7,30.6,0.3,0.2,0.0,0.0,0.0,0.0,0.1,0.0,0.1]
                    [PKTLENS.....: 78,74,66,606,66,430,66,98,67,190,69,82,306,66,66,66,98,67,114,81,82,274,66,66,98,67,69,78,82,98,67,70]
               new: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] 
          detected: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] [Mining][Mining][Unsafe]
@@ -441,7 +441,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0]
-                   [IATS(ms)....: 179.3,179.4,1.8,184.4,0.2,182.8,0.1,0.1,0.1,0.1,0.4,0.0,0.4,0.0,0.1,0.1,0.2,0.0,0.1,0.0,0.0,0.3,0.0,0.0,0.0,0.2,176.5,0.9,1.0,0.0,177.6,0.0]
+                   [IATS(ms)....: 179.3,179.4,1.8,184.4,0.2,182.8,0.1,0.1,0.1,0.1,0.4,0.0,0.4,0.0,0.1,0.1,0.2,0.0,0.1,0.0,0.0,0.3,0.0,0.0,0.0,0.2,176.5,0.9,1.0,0.0,177.6]
                    [PKTLENS.....: 78,74,66,649,66,457,66,98,66,67,66,227,80,66,66,82,66,98,67,190,69,82,98,67,125,70,82,66,66,98,67,66]
          detected: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
@@ -453,7 +453,7 @@
                    [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 41.4,41.5,1.3,42.4,1.0,42.1,0.2,0.2,0.4,0.4,0.4,0.4,0.2,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,39.1,1.4,0.0,0.1,0.1,0.0,0.1,0.1,0.0]
+                   [IATS(ms)....: 41.4,41.5,1.3,42.4,1.0,42.1,0.2,0.2,0.4,0.4,0.4,0.4,0.2,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,39.1,1.4,0.0,0.1,0.1,0.0,0.1,0.1]
                    [PKTLENS.....: 78,74,66,452,66,422,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]
               new: [....68] [ip4][..tcp] [..192.168.1.184][56679] -> [..35.228.158.52][30303] 
           analyse: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] [Mining][Mining][Unsafe]
@@ -463,7 +463,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0]
-                   [IATS(ms)....: 179.2,179.3,1.5,193.5,0.4,0.0,192.3,0.0,0.2,0.2,0.7,0.0,0.1,0.0,0.1,2.8,2.1,0.4,0.0,0.0,0.0,0.1,193.8,0.2,0.8,194.1,0.1,0.1,1.1,0.0,1.2,0.0]
+                   [IATS(ms)....: 179.2,179.3,1.5,193.5,0.4,0.0,192.3,0.0,0.2,0.2,0.7,0.0,0.1,0.0,0.1,2.8,2.1,0.4,0.0,0.0,0.0,0.1,193.8,0.2,0.8,194.1,0.1,0.1,1.1,0.0,1.2]
                    [PKTLENS.....: 78,74,66,538,66,494,98,66,66,198,66,98,67,190,69,82,94,66,98,67,114,81,82,66,66,98,66,147,66,97,66,66]
               new: [....69] [ip4][..tcp] [..192.168.1.184][56680] -> [...138.59.17.58][30303] 
               new: [....70] [ip4][..tcp] [..192.168.1.184][56681] -> [207.180.206.216][30303] 
@@ -481,7 +481,7 @@
                    [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 71.3,71.4,1.3,75.1,1.0,0.0,74.8,0.0,0.1,0.1,0.5,0.5,0.2,0.0,0.1,0.0,0.1,0.3,0.0,0.0,0.0,0.1,69.6,0.8,0.0,69.7,0.7,0.0,0.7,0.0,0.1,0.0]
+                   [IATS(ms)....: 71.3,71.4,1.3,75.1,1.0,0.0,74.8,0.0,0.1,0.1,0.5,0.5,0.2,0.0,0.1,0.0,0.1,0.3,0.0,0.0,0.0,0.1,69.6,0.8,0.0,69.7,0.7,0.0,0.7,0.0,0.1]
                    [PKTLENS.....: 78,74,66,613,66,570,98,66,66,209,66,83,66,98,67,190,69,82,98,67,114,81,82,66,66,98,66,148,96,66,66,66]
               new: [....72] [ip4][..tcp] [..192.168.1.184][56684] -> [...51.83.237.44][30303] 
           analyse: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe]
@@ -491,7 +491,7 @@
                    [BINS(c->s)..: 13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 259.7,259.8,1.3,261.4,3.0,263.1,0.5,0.4,0.3,0.2,0.2,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,260.1,0.0,0.0,0.1,0.1,0.0,0.7,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 259.7,259.8,1.3,261.4,3.0,263.1,0.5,0.4,0.3,0.2,0.2,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,260.1,0.0,0.0,0.1,0.1,0.0,0.7,0.0,0.0,0.0]
                    [PKTLENS.....: 78,74,66,605,66,525,66,98,66,98,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60]
               new: [....73] [ip4][..tcp] [..192.168.1.184][56685] -> [...88.99.93.219][30303] 
          detected: [....72] [ip4][..tcp] [..192.168.1.184][56684] -> [...51.83.237.44][30303] [Mining][Mining][Unsafe]
@@ -512,7 +512,7 @@
                    [BINS(c->s)..: 16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0]
-                   [IATS(ms)....: 40.4,40.4,1.5,40.9,246.5,285.9,40.6,40.6,0.7,0.0,0.1,0.0,0.0,0.4,0.0,0.0,0.0,0.1,39.4,0.2,0.9,0.7,39.7,0.2,0.0,0.0,0.0,0.1,1.1,0.8,0.2,0.0]
+                   [IATS(ms)....: 40.4,40.4,1.5,40.9,246.5,285.9,40.6,40.6,0.7,0.0,0.1,0.0,0.0,0.4,0.0,0.0,0.0,0.1,39.4,0.2,0.9,0.7,39.7,0.2,0.0,0.0,0.0,0.1,1.1,0.8,0.2]
                    [PKTLENS.....: 78,74,66,633,66,306,78,413,66,98,67,190,69,82,98,67,114,81,82,66,66,66,130,66,98,67,69,78,82,274,66,98]
               end: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe]
                    RISK: Unsafe Protocol
diff --git a/test/results/flow-info/exe_download.pcap.out b/test/results/flow-info/exe_download.pcap.out
index f42005a12..eca925875 100644
--- a/test/results/flow-info/exe_download.pcap.out
+++ b/test/results/flow-info/exe_download.pcap.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0]
-                   [IATS(ms)....: 319.3,319.5,0.7,1.1,298.1,0.0,298.6,1.6,0.1,1.8,2.4,2.7,0.0,5.0,0.2,28.6,0.1,28.9,100.7,305.8,0.0,0.0,0.1,205.2,0.2,0.2,0.7,0.0,0.0,0.0,0.7,0.0]
+                   [IATS(ms)....: 319.3,319.5,0.7,1.1,298.1,0.0,298.6,1.6,0.1,1.8,2.4,2.7,0.0,5.0,0.2,28.6,0.1,28.9,100.7,305.8,0.0,0.0,0.1,205.2,0.2,0.2,0.7,0.0,0.0,0.0,0.7]
                    [PKTLENS.....: 66,58,54,207,54,1514,1322,54,1418,1418,54,1418,1514,1302,54,1418,1418,1418,54,54,1514,1514,1226,1418,54,1418,54,1514,1514,1514,1130,54]
               end: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable]
                    RISK: Binary App Transfer, HTTP Suspicious User-Agent, HTTP Numeric IP Address
diff --git a/test/results/flow-info/exe_download_as_png.pcap.out b/test/results/flow-info/exe_download_as_png.pcap.out
index 377b18b31..6a58cb2a7 100644
--- a/test/results/flow-info/exe_download_as_png.pcap.out
+++ b/test/results/flow-info/exe_download_as_png.pcap.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 400.2,400.5,0.2,0.7,612.7,0.0,613.0,0.4,0.5,0.8,0.4,0.5,0.9,1.1,0.4,1.6,0.4,0.7,1.1,417.7,1.4,0.1,419.5,0.7,0.4,0.9,2.6,0.2,2.8,26.6,0.3,0.0]
+                   [IATS(ms)....: 400.2,400.5,0.2,0.7,612.7,0.0,613.0,0.4,0.5,0.8,0.4,0.5,0.9,1.1,0.4,1.6,0.4,0.7,1.1,417.7,1.4,0.1,419.5,0.7,0.4,0.9,2.6,0.2,2.8,26.6,0.3]
                    [PKTLENS.....: 66,58,54,203,54,1514,1322,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418]
               end: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable]
                    RISK: Binary App Transfer, HTTP Numeric IP Address
diff --git a/test/results/flow-info/facebook.pcap.out b/test/results/flow-info/facebook.pcap.out
index e43e19d1c..17db51e79 100644
--- a/test/results/flow-info/facebook.pcap.out
+++ b/test/results/flow-info/facebook.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 132.1,132.1,0.2,154.7,0.5,155.0,0.2,3.3,129.4,125.9,0.4,0.4,0.8,119.2,4.5,123.7,0.6,0.6,1.2,4.9,0.6,5.6,8.9,7.8,16.7,0.9,0.5,1.4,0.8,0.7,1.4,0.0]
+                   [IATS(ms)....: 132.1,132.1,0.2,154.7,0.5,155.0,0.2,3.3,129.4,125.9,0.4,0.4,0.8,119.2,4.5,123.7,0.6,0.6,1.2,4.9,0.6,5.6,8.9,7.8,16.7,0.9,0.5,1.4,0.8,0.7,1.4]
                    [PKTLENS.....: 74,74,66,583,66,212,66,117,452,147,104,104,108,66,1454,445,66,1454,590,66,1454,1454,66,1454,1454,66,1454,1454,66,1454,1454,66]
              idle: [.....1] [ip4][..tcp] [..192.168.43.18][52066] -> [..66.220.156.68][..443] 
              idle: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun]
diff --git a/test/results/flow-info/fastcgi.pcap.out b/test/results/flow-info/fastcgi.pcap.out
index b8726bb6c..729151ced 100644
--- a/test/results/flow-info/fastcgi.pcap.out
+++ b/test/results/flow-info/fastcgi.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.2,0.2,0.0,0.1,0.0,0.2,0.1,0.0,0.1,0.0,0.0,0.0,2019.9,2020.1,0.2,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.2,0.0,0.1,0.0,0.2,0.1,0.0,0.1,0.0,0.0,0.0,2019.9,2020.1,0.2,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.0,0.0,0.0]
                    [PKTLENS.....: 74,74,66,82,1121,74,66,74,74,66,66,66,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514]
               end: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/firefox.pcap.out b/test/results/flow-info/firefox.pcap.out
index 163922d9b..dc107dfe1 100644
--- a/test/results/flow-info/firefox.pcap.out
+++ b/test/results/flow-info/firefox.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]
-                   [IATS(ms)....: 26.7,26.8,1.3,27.3,5.8,0.0,31.8,0.5,0.5,211.0,0.3,236.0,0.0,1.3,0.0,26.1,0.0,575.4,1.2,576.6,0.3,0.1,0.3,0.1,0.1,0.2,1.4,145.8,171.4,2.9,1.4,0.0]
+                   [IATS(ms)....: 26.7,26.8,1.3,27.3,5.8,0.0,31.8,0.5,0.5,211.0,0.3,236.0,0.0,1.3,0.0,26.1,0.0,575.4,1.2,576.6,0.3,0.1,0.3,0.1,0.1,0.2,1.4,145.8,171.4,2.9,1.4]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,66,772,66,146,452,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,431,66,1506,1506]
               new: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] 
          detected: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe]
@@ -29,7 +29,7 @@
                    [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0]
-                   [IATS(ms)....: 34.4,34.5,3.3,32.3,1.5,30.5,4.2,18.6,31.6,0.0,8.9,18.5,3.0,0.1,21.6,203.5,231.0,1.0,0.2,0.0,28.7,0.2,0.2,0.9,0.1,1.0,0.1,0.4,0.0,0.0,0.5,0.0]
+                   [IATS(ms)....: 34.4,34.5,3.3,32.3,1.5,30.5,4.2,18.6,31.6,0.0,8.9,18.5,3.0,0.1,21.6,203.5,231.0,1.0,0.2,0.0,28.7,0.2,0.2,0.9,0.1,1.0,0.1,0.4,0.0,0.0,0.5]
                    [PKTLENS.....: 78,74,66,746,66,326,66,146,416,66,369,66,66,1506,1042,66,447,66,1506,1506,1506,66,1506,66,1506,1506,66,1506,1506,1506,1506,66]
          detected: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe]
          detected: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe]
@@ -41,7 +41,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 27.4,27.4,16.2,42.1,1.2,27.2,10.1,34.7,0.0,24.7,195.8,221.4,1.8,27.4,3.4,28.7,1.1,0.2,26.6,1.0,0.1,1.1,0.1,0.1,0.2,0.1,0.1,0.3,0.3,0.2,0.5,0.0]
+                   [IATS(ms)....: 27.4,27.4,16.2,42.1,1.2,27.2,10.1,34.7,0.0,24.7,195.8,221.4,1.8,27.4,3.4,28.7,1.1,0.2,26.6,1.0,0.1,1.1,0.1,0.1,0.2,0.1,0.1,0.3,0.3,0.2,0.5]
                    [PKTLENS.....: 78,74,66,746,66,326,66,146,66,369,66,433,66,1406,66,436,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]
  detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Web][Safe]
  detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe]
@@ -54,7 +54,7 @@
                    [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1]
-                   [IATS(ms)....: 26.8,26.8,3.3,29.2,2.4,28.4,2.9,12.8,29.6,0.0,13.9,11.4,1.7,0.1,13.2,0.1,0.3,1.0,0.8,0.1,0.2,0.1,0.1,0.2,0.1,0.3,0.1,0.3,12.0,12.2,0.1,0.0]
+                   [IATS(ms)....: 26.8,26.8,3.3,29.2,2.4,28.4,2.9,12.8,29.6,0.0,13.9,11.4,1.7,0.1,13.2,0.1,0.3,1.0,0.8,0.1,0.2,0.1,0.1,0.2,0.1,0.3,0.1,0.3,12.0,12.2,0.1]
                    [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,66,1506,1506,66,1506]
  detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe]
           analyse: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] 
@@ -64,7 +64,7 @@
                    [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0]
-                   [IATS(ms)....: 28.1,28.2,5.5,31.7,1.1,27.2,20.3,4.0,45.6,1.3,22.6,2.8,3.1,0.1,6.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.4,0.3,1.5,18.6,0.0,17.4,0.0]
+                   [IATS(ms)....: 28.1,28.2,5.5,31.7,1.1,27.2,20.3,4.0,45.6,1.3,22.6,2.8,3.1,0.1,6.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.4,0.3,1.5,18.6,0.0,17.4]
                    [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,1506,66,1506,799,66]
  detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe]
           analyse: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] 
@@ -74,7 +74,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1]
-                   [IATS(ms)....: 28.6,28.7,7.7,37.4,1.5,31.1,2.2,13.0,31.0,0.1,15.9,15.4,0.5,0.1,16.0,0.3,0.4,0.6,0.1,0.2,0.0,0.4,0.0,0.2,0.5,36.5,0.1,0.1,36.1,0.2,0.4,0.0]
+                   [IATS(ms)....: 28.6,28.7,7.7,37.4,1.5,31.1,2.2,13.0,31.0,0.1,15.9,15.4,0.5,0.1,16.0,0.3,0.4,0.6,0.1,0.2,0.0,0.4,0.0,0.2,0.5,36.5,0.1,0.1,36.1,0.2,0.4]
                    [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,1506,66,1506,1506,412,66,66,66,445,66,1506,1506,66,66,1506]
  detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe]
              idle: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/fix.pcap.out b/test/results/flow-info/fix.pcap.out
index a8e339af2..3eeb4311b 100644
--- a/test/results/flow-info/fix.pcap.out
+++ b/test/results/flow-info/fix.pcap.out
@@ -20,7 +20,7 @@
                    [BINS(c->s)..: 4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.2,0.2,52.4,3.6,94.0,87.6,49.4,50.7,50.7,52.8,52.9,49.7,49.6,49.7,49.7,49.5,49.4,49.8,49.8,50.0,50.0,49.9,49.9,49.6,49.6,49.8,49.8,50.2,50.2,314.9,315.0,0.0]
+                   [IATS(ms)....: 0.2,0.2,52.4,3.6,94.0,87.6,49.4,50.7,50.7,52.8,52.9,49.7,49.6,49.7,49.7,49.5,49.4,49.8,49.8,50.0,50.0,49.9,49.9,49.6,49.6,49.8,49.8,50.2,50.2,314.9,315.0]
                    [PKTLENS.....: 93,60,140,169,54,60,511,60,230,60,233,60,143,60,110,60,185,60,112,60,81,60,106,60,81,60,89,60,108,60,81,60]
               new: [.....7] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38652] [MIDSTREAM] 
          detected: [.....7] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38652] [FIX][RPC][Safe]
@@ -33,7 +33,7 @@
                    [BINS(c->s)..: 6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.1,100.1,0.1,100.2,0.1,100.0,0.1,100.1,0.0,99.9,100.0,100.2,100.2,100.8,100.8,300.2,0.0,300.2,0.0,0.2,17.9,82.4,142.0,200.5,158.5,100.0,99.9,0.4,0.4,200.2,200.3,0.0]
+                   [IATS(ms)....: 0.1,100.1,0.1,100.2,0.1,100.0,0.1,100.1,0.0,99.9,100.0,100.2,100.2,100.8,100.8,300.2,0.0,300.2,0.0,0.2,17.9,82.4,142.0,200.5,158.5,100.0,99.9,0.4,0.4,200.2,200.3]
                    [PKTLENS.....: 96,66,101,92,66,66,101,100,66,66,92,66,135,66,91,66,105,135,66,66,153,66,105,66,101,66,101,66,90,66,98,66]
               new: [.....9] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38646] [MIDSTREAM] 
          detected: [.....9] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38646] [FIX][RPC][Safe]
@@ -44,7 +44,7 @@
                    [BINS(c->s)..: 2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.2,0.3,0.3,250.6,0.1,250.6,0.0,0.2,18.2,232.1,291.3,250.1,209.0,250.7,250.7,250.6,250.6,250.7,250.7,250.7,250.7,250.6,0.0,250.7,0.0,251.5,251.5,249.7,249.8,250.3,250.3,0.0]
+                   [IATS(ms)....: 0.2,0.3,0.3,250.6,0.1,250.6,0.0,0.2,18.2,232.1,291.3,250.1,209.0,250.7,250.7,250.6,250.6,250.7,250.7,250.7,250.7,250.6,0.0,250.7,0.0,251.5,251.5,249.7,249.8,250.3,250.3]
                    [PKTLENS.....: 152,66,91,66,105,152,66,66,151,66,169,66,169,66,186,66,169,66,169,66,118,66,254,113,66,66,135,66,203,66,118,66]
               new: [....10] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][39094] [MIDSTREAM] 
          detected: [....10] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][39094] [FIX][RPC][Safe]
@@ -59,7 +59,7 @@
                    [BINS(c->s)..: 2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 0.2,500.7,500.7,200.4,200.5,0.2,89.7,210.7,340.3,500.7,460.5,5507.3,5507.3,601.0,601.0,400.4,400.5,701.0,701.0,400.4,400.4,600.6,600.6,400.8,400.8,600.8,600.8,0.2,54.3,45.7,140.3,0.0]
+                   [IATS(ms)....: 0.2,500.7,500.7,200.4,200.5,0.2,89.7,210.7,340.3,500.7,460.5,5507.3,5507.3,601.0,601.0,400.4,400.5,701.0,701.0,400.4,400.4,600.6,600.6,400.8,400.8,600.8,600.8,0.2,54.3,45.7,140.3]
                    [PKTLENS.....: 89,60,89,60,93,60,141,54,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,93,60,140,54,89,60]
           analyse: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -68,7 +68,7 @@
                    [BINS(c->s)..: 2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.1,1093.3,1093.4,599.0,599.0,1546.1,1546.1,0.2,22.8,2072.7,2137.8,913.3,870.7,442.0,442.0,3366.1,3366.1,1195.4,1195.4,437.7,437.7,1550.2,1550.2,0.2,22.4,1711.4,1774.3,1498.2,1457.5,4175.1,4175.0,0.0]
+                   [IATS(ms)....: 0.1,1093.3,1093.4,599.0,599.0,1546.1,1546.1,0.2,22.8,2072.7,2137.8,913.3,870.7,442.0,442.0,3366.1,3366.1,1195.4,1195.4,437.7,437.7,1550.2,1550.2,0.2,22.4,1711.4,1774.3,1498.2,1457.5,4175.1,4175.0]
                    [PKTLENS.....: 105,66,126,66,105,66,105,66,151,66,105,66,105,66,126,66,105,66,126,66,105,66,105,66,151,66,105,66,147,66,105,66]
              idle: [.....3] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45578] [FIX][RPC][Safe]
              idle: [.....5] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45584] [FIX][RPC][Safe]
diff --git a/test/results/flow-info/fix2.pcap.out b/test/results/flow-info/fix2.pcap.out
index 876e7d089..c3a494883 100644
--- a/test/results/flow-info/fix2.pcap.out
+++ b/test/results/flow-info/fix2.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1]
-                   [IATS(ms)....: 0.6,0.7,0.0,0.1,0.1,0.0,0.0,0.0,0.2,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.6,0.7,0.0,0.1,0.1,0.0,0.0,0.0,0.2,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 62,62,60,139,62,60,147,144,60,152,144,152,146,60,60,147,60,60,60,152,60,174,157,174,60,60,60,60,157,147,160,152]
           analyse: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -21,7 +21,7 @@
                    [BINS(c->s)..: 6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0]
-                   [IATS(ms)....: 0.6,0.6,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.6,0.6,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 62,62,60,139,147,144,152,62,60,144,60,60,152,146,60,147,60,152,60,174,157,147,160,60,60,60,160,162,144,60,60,60]
               end: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe]
               end: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe]
diff --git a/test/results/flow-info/forticlient.pcap.out b/test/results/flow-info/forticlient.pcap.out
index 444105a0f..6fedb2121 100644
--- a/test/results/flow-info/forticlient.pcap.out
+++ b/test/results/flow-info/forticlient.pcap.out
@@ -43,7 +43,7 @@
                    [BINS(c->s)..: 9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1]
-                   [IATS(ms)....: 62.6,62.7,2.3,64.5,19.9,1.9,84.0,11.2,85.3,74.2,429.6,495.0,65.4,84.5,160.2,75.7,71.6,6.3,142.9,0.6,65.6,0.3,0.2,2.9,4.0,0.0,64.2,57.2,0.4,4.0,0.1,0.0]
+                   [IATS(ms)....: 62.6,62.7,2.3,64.5,19.9,1.9,84.0,11.2,85.3,74.2,429.6,495.0,65.4,84.5,160.2,75.7,71.6,6.3,142.9,0.6,65.6,0.3,0.2,2.9,4.0,0.0,64.2,57.2,0.4,4.0,0.1]
                    [PKTLENS.....: 78,74,66,379,66,1506,1047,66,224,308,66,596,841,66,362,937,66,357,113,66,113,66,113,66,113,131,117,113,66,113,125,125]
               end: [.....1] [ip4][..tcp] [..192.168.1.178][61805] -> [....82.81.46.13][10443] 
               end: [.....2] [ip4][..tcp] [..192.168.1.178][61806] -> [....82.81.46.13][10443] 
diff --git a/test/results/flow-info/ftp-start-tls.pcap.out b/test/results/flow-info/ftp-start-tls.pcap.out
index 8aa54a748..6af809aac 100644
--- a/test/results/flow-info/ftp-start-tls.pcap.out
+++ b/test/results/flow-info/ftp-start-tls.pcap.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 0.4,0.1,1.3,15.0,0.1,17.8,3.9,0.1,0.8,0.0,4.3,3.3,0.1,1.0,0.0,0.0,0.0,0.1,0.0,2.6,8.5,40.4,0.1,34.7,4.5,0.7,2.2,1.8,0.3,2.7,2.2,0.0]
+                   [IATS(ms)....: 0.4,0.1,1.3,15.0,0.1,17.8,3.9,0.1,0.8,0.0,4.3,3.3,0.1,1.0,0.0,0.0,0.0,0.1,0.0,2.6,8.5,40.4,0.1,34.7,4.5,0.7,2.2,1.8,0.3,2.7,2.2]
                    [PKTLENS.....: 60,60,60,60,127,127,64,60,60,85,85,204,60,60,566,566,269,566,566,269,60,384,105,105,91,136,136,91,136,136,99,144]
  detection-update: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe]
                    RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn
diff --git a/test/results/flow-info/ftp.pcap.out b/test/results/flow-info/ftp.pcap.out
index de06070f5..fdd9717dc 100644
--- a/test/results/flow-info/ftp.pcap.out
+++ b/test/results/flow-info/ftp.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 27.4,27.5,29.0,29.0,0.5,27.7,0.3,27.4,0.2,69.1,21.2,90.0,0.3,27.1,0.0,26.8,0.1,27.0,0.1,26.9,0.0,0.3,27.5,27.3,0.1,0.0,0.7,27.1,26.5,0.1,26.8,0.0]
+                   [IATS(ms)....: 27.4,27.5,29.0,29.0,0.5,27.7,0.3,27.4,0.2,69.1,21.2,90.0,0.3,27.1,0.0,26.8,0.1,27.0,0.1,26.9,0.0,0.3,27.5,27.3,0.1,0.0,0.7,27.1,26.5,0.1,26.8]
                    [PKTLENS.....: 78,74,66,86,66,82,66,100,66,79,66,89,66,71,66,100,66,72,81,131,66,66,77,110,66,307,66,96,88,66,71,100]
               new: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] 
          detected: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] [FTP_DATA][Download][Acceptable]
@@ -24,7 +24,7 @@
                    [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1]
-                   [IATS(ms)....: 28.8,28.8,29.6,29.6,0.3,0.3,0.6,0.6,0.3,0.5,0.8,0.4,0.4,0.1,0.3,0.0,0.4,0.0,0.3,27.5,27.8,0.2,0.2,1.7,0.1,0.0,1.8,1.9,1.9,0.2,1.8,0.0]
+                   [IATS(ms)....: 28.8,28.8,29.6,29.6,0.3,0.3,0.6,0.6,0.3,0.5,0.8,0.4,0.4,0.1,0.3,0.0,0.4,0.0,0.3,27.5,27.8,0.2,0.2,1.7,0.1,0.0,1.8,1.9,1.9,0.2,1.8]
                    [PKTLENS.....: 78,74,66,1506,78,1506,66,1506,66,1506,1506,66,1506,66,1506,1506,1506,66,66,1506,1506,66,1506,66,1506,1506,66,66,1506,66,1506,1506]
      not-detected: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unrated]
               end: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unrated]
diff --git a/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out
index 981ae2a1e..94591c2d0 100644
--- a/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out
+++ b/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out
@@ -525,7 +525,7 @@
                    [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 746.3,47494.7,744.6,751.1,46512.3,745.7,46548.5,1500.6,45837.6,749.4,751.1,46756.5,741.8,751.1,45988.0,749.2,47479.8,47268.1,749.4,47258.0,751.1,46297.9,749.8,46628.0,750.2,751.1,45907.7,749.4,751.1,46347.7,750.0,0.0]
+                   [IATS(ms)....: 746.3,47494.7,744.6,751.1,46512.3,745.7,46548.5,1500.6,45837.6,749.4,751.1,46756.5,741.8,751.1,45988.0,749.2,47479.8,47268.1,749.4,47258.0,751.1,46297.9,749.8,46628.0,750.2,751.1,45907.7,749.4,751.1,46347.7,750.0]
                    [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]
              idle: [....76] [ip4][..udp] [..192.168.130.1][...53] -> [....192.168.1.2][.2741] [DNS][Network][Acceptable]
              idle: [....75] [ip4][..udp] [....192.168.1.2][.2741] -> [....192.168.1.1][...53] 
@@ -967,7 +967,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 17474.8,107207.5,89874.9,17280.7,167478.6,167525.2,17335.8,73902.7,91241.1,17333.2,25.9,17725.0,29031.8,29092.7,68237.2,29272.4,29031.8,29031.6,29031.5,18604.5,279041.8,227.1,15287.5,17115.0,32679.4,257.3,76383.1,29031.1,58063.5,24495.5,17375.1,0.0]
+                   [IATS(ms)....: 17474.8,107207.5,89874.9,17280.7,167478.6,167525.2,17335.8,73902.7,91241.1,17333.2,25.9,17725.0,29031.8,29092.7,68237.2,29272.4,29031.8,29031.6,29031.5,18604.5,279041.8,227.1,15287.5,17115.0,32679.4,257.3,76383.1,29031.1,58063.5,24495.5,17375.1]
                    [PKTLENS.....: 528,388,509,528,722,528,722,533,528,722,348,512,47,47,47,47,47,47,47,47,867,635,382,47,1118,487,377,47,47,47,480,715]
       ERROR-EVENT: Unknown packet type
       ERROR-EVENT: nDPI IPv4/L4 payload detection failed
diff --git a/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out b/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out
index eac928d80..c71604825 100644
--- a/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out
+++ b/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out
@@ -75,7 +75,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0]
-                   [IATS(ms)....: 155.2,452627.7,595.4,114837.3,612411.2,44261.5,205.2,4046.5,4037.8,201.9,4553.2,187.1,43562.4,202.6,48502.1,3244.5,3442.4,3335.8,3536.4,209.1,201.4,255983.2,256164.3,599.6,6263.0,492.5,7309.6,8000.5,8015.3,522.3,7260.9,0.0]
+                   [IATS(ms)....: 155.2,452627.7,595.4,114837.3,612411.2,44261.5,205.2,4046.5,4037.8,201.9,4553.2,187.1,43562.4,202.6,48502.1,3244.5,3442.4,3335.8,3536.4,209.1,201.4,255983.2,256164.3,599.6,6263.0,492.5,7309.6,8000.5,8015.3,522.3,7260.9]
                    [PKTLENS.....: 697,257,239,318,239,745,179,697,179,697,206,745,697,745,697,206,179,697,745,179,697,206,745,239,725,745,725,318,745,239,725,745]
       ERROR-EVENT: Unknown L3 protocol
               new: [....13] [ip4][..udp] [..198.162.25.53][.1810] -> [....10.12.64.30][29200] 
diff --git a/test/results/flow-info/git.pcap.out b/test/results/flow-info/git.pcap.out
index 09087f2cc..92368f3c6 100644
--- a/test/results/flow-info/git.pcap.out
+++ b/test/results/flow-info/git.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 57.9,58.0,0.1,56.1,43.8,99.9,54.7,54.7,0.5,49.5,48.9,45.5,0.0,17.8,63.4,1.8,0.2,2.0,0.9,0.2,1.1,0.2,0.2,0.7,0.4,1.1,50.6,0.2,50.8,0.5,0.7,0.0]
+                   [IATS(ms)....: 57.9,58.0,0.1,56.1,43.8,99.9,54.7,54.7,0.5,49.5,48.9,45.5,0.0,17.8,63.4,1.8,0.2,2.0,0.9,0.2,1.1,0.2,0.2,0.7,0.4,1.1,50.6,0.2,50.8,0.5,0.7]
                    [PKTLENS.....: 74,74,66,135,66,267,66,962,66,593,66,75,66,74,1506,66,1506,1506,66,1506,1506,66,2946,66,1506,1506,66,1506,1506,66,1506,1506]
               end: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/gnutella.pcap.out b/test/results/flow-info/gnutella.pcap.out
index f0eb85b2f..46a647992 100644
--- a/test/results/flow-info/gnutella.pcap.out
+++ b/test/results/flow-info/gnutella.pcap.out
@@ -581,7 +581,7 @@
                    [BINS(c->s)..: 9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 111.8,112.0,0.2,0.6,122.2,123.8,1.7,510.2,510.3,125.4,7.0,133.1,508.5,509.1,643.4,701.9,8737.9,8796.5,643.9,0.1,644.7,118.6,3.0,121.6,121.6,0.1,121.5,120.9,0.1,121.0,117.5,0.0]
+                   [IATS(ms)....: 111.8,112.0,0.2,0.6,122.2,123.8,1.7,510.2,510.3,125.4,7.0,133.1,508.5,509.1,643.4,701.9,8737.9,8796.5,643.9,0.1,644.7,118.6,3.0,121.6,121.6,0.1,121.5,120.9,0.1,121.0,117.5]
                    [PKTLENS.....: 66,58,54,653,54,666,104,54,367,54,196,437,54,82,54,463,54,100,54,1514,1066,54,654,1502,54,1514,642,54,1514,642,54,654]
           analyse: [...238] [ip4][..tcp] [......10.0.2.15][50284] -> [.104.156.226.72][53258] [Gnutella][Download][Potentially Dangerous]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -590,7 +590,7 @@
                    [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1]
-                   [IATS(ms)....: 128.3,128.7,0.4,0.9,178.6,178.8,0.0,501.2,501.5,98.4,140.7,469.4,511.6,1191.0,1233.5,8175.8,8218.5,772.3,828.1,95.7,89.5,96.9,110.1,405.4,409.6,95.4,89.1,2.8,63.4,0.6,0.6,0.0]
+                   [IATS(ms)....: 128.3,128.7,0.4,0.9,178.6,178.8,0.0,501.2,501.5,98.4,140.7,469.4,511.6,1191.0,1233.5,8175.8,8218.5,772.3,828.1,95.7,89.5,96.9,110.1,405.4,409.6,95.4,89.1,2.8,63.4,0.6,0.6]
                    [PKTLENS.....: 66,58,54,654,54,682,104,54,367,54,588,54,82,54,456,54,100,54,1078,54,1078,54,1078,54,1078,54,1078,54,69,54,64,54]
           analyse: [...288] [ip4][..tcp] [......10.0.2.15][50312] -> [104.238.172.250][23548] [Gnutella][Download][Potentially Dangerous]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -599,7 +599,7 @@
                    [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 30.9,31.2,0.4,0.8,29.2,31.6,2.5,501.7,502.0,17.1,17.4,35.1,479.7,480.4,544.2,592.6,8643.7,8692.0,0.6,0.6,0.6,0.6,0.4,0.4,0.5,0.4,0.3,0.4,0.4,0.4,0.4,0.0]
+                   [IATS(ms)....: 30.9,31.2,0.4,0.8,29.2,31.6,2.5,501.7,502.0,17.1,17.4,35.1,479.7,480.4,544.2,592.6,8643.7,8692.0,0.6,0.6,0.6,0.6,0.4,0.4,0.5,0.4,0.3,0.4,0.4,0.4,0.4]
                    [PKTLENS.....: 66,58,54,655,54,682,104,54,367,54,196,384,54,81,54,441,54,108,54,64,54,64,54,64,54,64,54,64,54,64,54,64]
               new: [...328] [ip4][..udp] [......10.0.2.15][28681] -> [.203.220.105.27][19260] 
          detected: [...328] [ip4][..udp] [......10.0.2.15][28681] -> [.203.220.105.27][19260] [Gnutella][Download][Potentially Dangerous]
@@ -649,7 +649,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1]
-                   [IATS(ms)....: 109.0,109.5,0.8,1.6,1123.2,14.9,1138.7,0.5,4.1,0.0,4.4,993.4,0.2,0.0,0.3,993.8,0.1,988.9,0.2,0.0,989.1,4.8,4.8,1004.1,0.1,0.0,0.1,1004.3,1027.6,5.2,0.1,0.0]
+                   [IATS(ms)....: 109.0,109.5,0.8,1.6,1123.2,14.9,1138.7,0.5,4.1,0.0,4.4,993.4,0.2,0.0,0.3,993.8,0.1,988.9,0.2,0.0,989.1,4.8,4.8,1004.1,0.1,0.0,0.1,1004.3,1027.6,5.2,0.1]
                    [PKTLENS.....: 66,58,54,587,54,848,1514,54,1514,1514,118,54,1514,1514,1514,912,54,54,1514,1514,1514,54,912,54,1514,1514,1514,912,54,1514,1514,1514]
           analyse: [...276] [ip4][..tcp] [......10.0.2.15][50300] -> [..188.61.52.183][11852] [Gnutella][Download][Potentially Dangerous]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -658,7 +658,7 @@
                    [BINS(c->s)..: 8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 17.2,17.4,3.5,3.9,14.2,15.0,0.7,2.8,2.9,25.8,0.0,26.1,9.0,9.3,15.9,71.8,495.6,483.5,221.2,265.2,15.6,77.3,487.6,467.7,9469.0,9510.7,13761.0,13801.6,1593.6,1634.0,4141.0,0.0]
+                   [IATS(ms)....: 17.2,17.4,3.5,3.9,14.2,15.0,0.7,2.8,2.9,25.8,0.0,26.1,9.0,9.3,15.9,71.8,495.6,483.5,221.2,265.2,15.6,77.3,487.6,467.7,9469.0,9510.7,13761.0,13801.6,1593.6,1634.0,4141.0]
                    [PKTLENS.....: 66,58,54,653,54,713,125,54,318,54,1514,194,54,180,54,105,54,233,54,418,54,401,54,521,54,129,54,125,54,190,54,115]
            update: [...134] [ip4][..udp] [......10.0.2.15][28681] -> [...78.231.73.14][.6346] 
            update: [...128] [ip4][..udp] [......10.0.2.15][28681] -> [..77.141.219.27][37580] 
@@ -752,7 +752,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 193.6,195.3,1.8,3.7,1208.8,5.6,0.1,1214.8,993.3,0.1,993.5,1040.3,0.1,1040.5,1001.3,0.1,1001.5,998.2,0.1,998.2,1008.3,0.2,1008.5,1046.8,0.1,1046.9,1000.2,0.1,1000.3,1013.4,0.0,0.0]
+                   [IATS(ms)....: 193.6,195.3,1.8,3.7,1208.8,5.6,0.1,1214.8,993.3,0.1,993.5,1040.3,0.1,1040.5,1001.3,0.1,1001.5,998.2,0.1,998.2,1008.3,0.2,1008.5,1046.8,0.1,1046.9,1000.2,0.1,1000.3,1013.4,0.0]
                    [PKTLENS.....: 66,58,54,592,54,860,1514,340,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146]
               new: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] 
          detected: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] [HTTP.Gnutella][Download][Potentially Dangerous]
@@ -849,7 +849,7 @@
                    [BINS(c->s)..: 9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 399.9,400.2,2.6,3.1,879.2,880.3,1.1,343.3,15.8,359.6,3.0,2.2,5.1,145.1,145.6,10048.7,10048.7,469.5,2.7,472.7,3557.8,3604.1,6175.3,6222.2,413.8,464.5,22633.8,22684.6,605.3,605.0,15818.9,0.0]
+                   [IATS(ms)....: 399.9,400.2,2.6,3.1,879.2,880.3,1.1,343.3,15.8,359.6,3.0,2.2,5.1,145.1,145.6,10048.7,10048.7,469.5,2.7,472.7,3557.8,3604.1,6175.3,6222.2,413.8,464.5,22633.8,22684.6,605.3,605.0,15818.9]
                    [PKTLENS.....: 66,58,54,358,54,337,157,54,132,776,54,67,72,54,163,54,118,54,1078,59,54,136,54,84,54,227,54,66,54,137,54,76]
               new: [...353] [ip4][..udp] [......10.0.2.15][28681] -> [195.181.151.217][25282] 
               new: [...354] [ip4][..udp] [......10.0.2.15][28681] -> [.80.236.247.120][.1032] 
@@ -1177,7 +1177,7 @@
                    [BINS(c->s)..: 11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0]
-                   [IATS(ms)....: 107.0,107.3,0.3,0.8,178.4,179.8,1.4,41.0,98.0,375.7,432.9,10046.8,10046.8,42.3,94.5,6595.0,6594.8,3591.9,3643.9,39.2,93.5,24009.1,24063.3,605.1,604.8,14641.1,23.8,14665.3,55396.9,55455.4,453.2,0.0]
+                   [IATS(ms)....: 107.0,107.3,0.3,0.8,178.4,179.8,1.4,41.0,98.0,375.7,432.9,10046.8,10046.8,42.3,94.5,6595.0,6594.8,3591.9,3643.9,39.2,93.5,24009.1,24063.3,605.1,604.8,14641.1,23.8,14665.3,55396.9,55455.4,453.2]
                    [PKTLENS.....: 66,58,54,357,54,337,157,54,926,54,163,54,118,54,1119,54,214,54,84,54,203,54,66,54,137,54,78,503,54,64,54,63]
               end: [....35] [ip4][..tcp] [......10.0.2.15][50196] -> [...218.250.6.59][12556] [Gnutella][Download][Potentially Dangerous]
                    RISK: Unsafe Protocol
diff --git a/test/results/flow-info/googledns_android10.pcap.out b/test/results/flow-info/googledns_android10.pcap.out
index 237b9b713..0900038ef 100644
--- a/test/results/flow-info/googledns_android10.pcap.out
+++ b/test/results/flow-info/googledns_android10.pcap.out
@@ -30,7 +30,7 @@
                    [BINS(c->s)..: 9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]
-                   [IATS(ms)....: 12.8,14.6,0.3,14.8,16.2,1.1,0.1,31.1,1.0,0.5,12.5,28.6,36.9,41.2,19.2,12.5,6.2,5.0,24.3,307.1,326.2,13.8,74.3,386.7,447.4,5.0,23.8,155.7,173.7,5.0,23.2,0.0]
+                   [IATS(ms)....: 12.8,14.6,0.3,14.8,16.2,1.1,0.1,31.1,1.0,0.5,12.5,28.6,36.9,41.2,19.2,12.5,6.2,5.0,24.3,307.1,326.2,13.8,74.3,386.7,447.4,5.0,23.8,155.7,173.7,5.0,23.2]
                    [PKTLENS.....: 74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,225,565,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66]
               new: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] 
          detected: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable]
@@ -48,7 +48,7 @@
                    [BINS(c->s)..: 8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1]
-                   [IATS(ms)....: 12.7,14.1,0.9,14.9,0.1,14.2,1.1,19.6,19.1,13.8,1.3,58.4,651.3,715.0,3.8,23.3,1234.1,1253.7,12.5,32.7,484.0,503.7,3.8,30.8,265.4,292.4,20.3,12.6,11.8,7.4,12.6,0.0]
+                   [IATS(ms)....: 12.7,14.1,0.9,14.9,0.1,14.2,1.1,19.6,19.1,13.8,1.3,58.4,651.3,715.0,3.8,23.3,1234.1,1253.7,12.5,32.7,484.0,503.7,3.8,30.8,265.4,292.4,20.3,12.6,11.8,7.4,12.6]
                    [PKTLENS.....: 74,74,66,583,66,213,66,117,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,225,565,66,66,565]
            update: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable]
              idle: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable]
@@ -74,7 +74,7 @@
                    [BINS(c->s)..: 9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1]
-                   [IATS(ms)....: 14.4,41.9,9.2,49.9,17.6,0.1,0.1,32.5,0.5,0.1,15.4,30.8,15.7,19.9,22.6,85.5,5640.7,5703.8,20.5,7.6,6.2,13.7,17.6,31.1,85.4,103.7,33.2,18.8,6.3,16.2,17.6,0.0]
+                   [IATS(ms)....: 14.4,41.9,9.2,49.9,17.6,0.1,0.1,32.5,0.5,0.1,15.4,30.8,15.7,19.9,22.6,85.5,5640.7,5703.8,20.5,7.6,6.2,13.7,17.6,31.1,85.4,103.7,33.2,18.8,6.3,16.2,17.6]
                    [PKTLENS.....: 74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,565,66,225,66,225,565,66,66,565,66,225,66,225,565,66,66,565]
               end: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
diff --git a/test/results/flow-info/http-manipulated.pcap.out b/test/results/flow-info/http-manipulated.pcap.out
index 6df536074..354830f60 100644
--- a/test/results/flow-info/http-manipulated.pcap.out
+++ b/test/results/flow-info/http-manipulated.pcap.out
@@ -16,7 +16,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.2,0.2,0.1,0.3,0.2,0.4,72.8,73.1,0.2,0.4,0.1,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,0.2,0.1,0.3,0.2,0.4,72.8,73.1,0.2,0.4,0.1,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 66,66,54,440,60,631,54,389,60,2974,54,4434,54,2974,54,4434,54,1514,54,4434,54,2974,54,4434,54,1514,54,5894,54,5894,54,2974]
               end: [.....1] [ip4][..tcp] [...192.168.0.20][33632] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable]
                    RISK: Known Proto on Non Std Port
diff --git a/test/results/flow-info/http_auth.pcap.out b/test/results/flow-info/http_auth.pcap.out
index 43efb6f75..b9b0d844b 100644
--- a/test/results/flow-info/http_auth.pcap.out
+++ b/test/results/flow-info/http_auth.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0]
-                   [IATS(ms)....: 180.0,180.1,0.1,194.0,206.4,1.3,401.5,0.6,0.6,0.7,0.7,4.0,4.6,8.7,4.6,3.0,7.6,3.3,5.3,8.6,159.0,4.0,163.0,3.6,4.2,7.9,2.6,2.6,4861.8,4861.8,1269.0,0.0]
+                   [IATS(ms)....: 180.0,180.1,0.1,194.0,206.4,1.3,401.5,0.6,0.6,0.7,0.7,4.0,4.6,8.7,4.6,3.0,7.6,3.3,5.3,8.6,159.0,4.0,163.0,3.6,4.2,7.9,2.6,2.6,4861.8,4861.8,1269.0]
                    [PKTLENS.....: 78,74,66,805,66,1514,551,66,145,66,288,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,989,66,66,66,66]
               end: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/http_connect.pcap.out b/test/results/flow-info/http_connect.pcap.out
index c25a29cde..c69fcad18 100644
--- a/test/results/flow-info/http_connect.pcap.out
+++ b/test/results/flow-info/http_connect.pcap.out
@@ -16,7 +16,7 @@
                    [BINS(c->s)..: 13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 8.8,8.9,2.8,11.3,7.5,16.0,0.1,0.1,0.0,0.0,0.0,0.0,7.3,0.5,15.0,0.0,4.0,11.3,0.7,0.7,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 8.8,8.9,2.8,11.3,7.5,16.0,0.1,0.1,0.0,0.0,0.0,0.0,7.3,0.5,15.0,0.0,4.0,11.3,0.7,0.7,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.0,0.0,0.1]
                    [PKTLENS.....: 74,74,66,583,66,1450,66,1450,66,1450,66,985,66,130,555,66,66,125,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450]
           analyse: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1]
-                   [IATS(ms)....: 0.0,2.7,0.4,3.1,9.6,12.4,2.7,16.2,17.3,6.1,7.2,0.5,0.5,0.0,0.0,11.4,0.7,0.1,0.2,12.6,0.0,0.2,0.0,0.1,0.1,0.7,4.0,50.2,53.4,1.2,1.2,0.0]
+                   [IATS(ms)....: 0.0,2.7,0.4,3.1,9.6,12.4,2.7,16.2,17.3,6.1,7.2,0.5,0.5,0.0,0.0,11.4,0.7,0.1,0.2,12.6,0.0,0.2,0.0,0.1,0.1,0.7,4.0,50.2,53.4,1.2,1.2]
                    [PKTLENS.....: 66,66,60,257,54,130,571,54,5125,60,118,54,224,54,373,54,113,5590,2822,1438,85,60,54,60,5590,1438,963,60,187,54,129,54]
              idle: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] [DNS][Network][Acceptable]
              idle: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/http_ipv6.pcap.out b/test/results/flow-info/http_ipv6.pcap.out
index 77d07ed6b..c4685a89c 100644
--- a/test/results/flow-info/http_ipv6.pcap.out
+++ b/test/results/flow-info/http_ipv6.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0]
                    [BINS(s->c)..: 2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]
-                   [IATS(ms)....: 25.4,26.2,172.4,219.5,15.7,87.2,38.8,110.2,47.0,1.5,26.7,45.8,1752.5,1778.7,6.8,78.3,246.6,318.1,6008.8,6008.7,4.8,76.9,102.6,174.5,2.4,73.9,70.9,142.5,2.9,74.3,992.4,0.0]
+                   [IATS(ms)....: 25.4,26.2,172.4,219.5,15.7,87.2,38.8,110.2,47.0,1.5,26.7,45.8,1752.5,1778.7,6.8,78.3,246.6,318.1,6008.8,6008.7,4.8,76.9,102.6,174.5,2.4,73.9,70.9,142.5,2.9,74.3,992.4]
                    [PKTLENS.....: 1412,1412,99,1216,94,674,102,252,94,102,581,102,91,257,94,637,105,102,94,262,91,589,105,263,94,586,102,264,94,561,102,265]
               new: [.....6] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37486] -> [................2a03:b0c0:3:d0::70:1001][..443] 
               new: [.....7] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37488] -> [................2a03:b0c0:3:d0::70:1001][..443] 
diff --git a/test/results/flow-info/iax.pcap.out b/test/results/flow-info/iax.pcap.out
index e6420b9b3..c37a7d6e1 100644
--- a/test/results/flow-info/iax.pcap.out
+++ b/test/results/flow-info/iax.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 2.2,5.1,7.7,24.4,24.4,24.7,16.9,51.4,9.6,12.3,14.1,6.9,22.8,16.8,31.3,17.9,20.0,11.5,43.2,21.3,13.9,17.1,22.6,0.9,20.5,34.1,6.9,21.0,19.9,18.0,29.1,0.0]
+                   [IATS(ms)....: 2.2,5.1,7.7,24.4,24.4,24.7,16.9,51.4,9.6,12.3,14.1,6.9,22.8,16.8,31.3,17.9,20.0,11.5,43.2,21.3,13.9,17.1,22.6,0.9,20.5,34.1,6.9,21.0,19.9,18.0,29.1]
                    [PKTLENS.....: 108,54,54,60,54,60,206,214,214,60,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206]
              idle: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/icmp-tunnel.pcap.out b/test/results/flow-info/icmp-tunnel.pcap.out
index 2124e14d0..0a7b37bd5 100644
--- a/test/results/flow-info/icmp-tunnel.pcap.out
+++ b/test/results/flow-info/icmp-tunnel.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 998.8,1000.0,1000.1,1000.0,1000.1,1000.1,1000.0,1000.0,1000.0,1000.1,1000.0,1000.0,1000.0,999.9,13999.4,1001.2,1001.2,1001.0,1001.0,1001.1,1001.1,1001.0,1000.9,1000.9,1000.9,1001.1,1001.1,1001.0,1001.0,1001.0,1001.0,0.0]
+                   [IATS(ms)....: 998.8,1000.0,1000.1,1000.0,1000.1,1000.1,1000.0,1000.0,1000.0,1000.1,1000.0,1000.0,1000.0,999.9,13999.4,1001.2,1001.2,1001.0,1001.0,1001.1,1001.1,1001.0,1000.9,1000.9,1000.9,1001.1,1001.1,1001.0,1001.0,1001.0,1001.0]
                    [PKTLENS.....: 126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126]
            update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable]
                    RISK: Malformed Packet
diff --git a/test/results/flow-info/iec60780-5-104.pcap.out b/test/results/flow-info/iec60780-5-104.pcap.out
index 354391d09..24f21aa6e 100644
--- a/test/results/flow-info/iec60780-5-104.pcap.out
+++ b/test/results/flow-info/iec60780-5-104.pcap.out
@@ -27,7 +27,7 @@
                    [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1]
-                   [IATS(ms)....: 0.1,0.3,1.2,4.3,153.9,32516.1,32485.0,17329.0,17462.6,171.2,19844.6,20033.2,171.5,19860.3,20118.3,25436.2,25352.0,204.3,19828.9,20215.2,5341.8,5765.2,10455.9,10671.3,13.9,15.2,139.9,131.3,218.7,19641.5,20056.0,0.0]
+                   [IATS(ms)....: 0.1,0.3,1.2,4.3,153.9,32516.1,32485.0,17329.0,17462.6,171.2,19844.6,20033.2,171.5,19860.3,20118.3,25436.2,25352.0,204.3,19828.9,20215.2,5341.8,5765.2,10455.9,10671.3,13.9,15.2,139.9,131.3,218.7,19641.5,20056.0]
                    [PKTLENS.....: 62,62,60,60,60,60,70,60,70,118,60,60,70,60,60,54,70,76,60,60,54,70,60,70,76,70,76,60,77,60,60,54]
               end: [.....6] [ip4][..tcp] [.172.27.248.109][.1578] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/imap-starttls.pcap.out b/test/results/flow-info/imap-starttls.pcap.out
index 1ab25f851..6e411e3ee 100644
--- a/test/results/flow-info/imap-starttls.pcap.out
+++ b/test/results/flow-info/imap-starttls.pcap.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1]
-                   [IATS(ms)....: 189.8,189.9,188.3,188.3,0.1,192.5,0.3,192.6,0.2,186.5,0.0,186.4,0.4,197.4,0.2,197.1,2.0,0.2,2.2,0.1,3.7,191.6,187.9,1487.0,1677.8,0.2,190.8,0.0,0.3,0.0,189.4,0.0]
+                   [IATS(ms)....: 189.8,189.9,188.3,188.3,0.1,192.5,0.3,192.6,0.2,186.5,0.0,186.4,0.4,197.4,0.2,197.1,2.0,0.2,2.2,0.1,3.7,191.6,187.9,1487.0,1677.8,0.2,190.8,0.0,0.3,0.0,189.4]
                    [PKTLENS.....: 78,66,54,325,54,68,60,281,54,66,86,60,54,372,1514,1514,54,1514,636,54,54,180,105,54,93,133,85,54,54,85,54,60]
  detection-update: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe]
                    RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
diff --git a/test/results/flow-info/imap.pcap.out b/test/results/flow-info/imap.pcap.out
index 899e4fabe..1e029c299 100644
--- a/test/results/flow-info/imap.pcap.out
+++ b/test/results/flow-info/imap.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1]
-                   [IATS(ms)....: 0.1,0.1,12.9,12.9,0.2,0.4,36.9,36.8,0.1,4330.0,4331.4,1.4,16.8,17.3,39.9,39.5,0.1,0.2,0.6,39.7,39.4,0.1,0.9,1.3,39.0,38.7,0.1,0.1,10.8,47.8,37.2,0.0]
+                   [IATS(ms)....: 0.1,0.1,12.9,12.9,0.2,0.4,36.9,36.8,0.1,4330.0,4331.4,1.4,16.8,17.3,39.9,39.5,0.1,0.2,0.6,39.7,39.4,0.1,0.9,1.3,39.0,38.7,0.1,0.1,10.8,47.8,37.2]
                    [PKTLENS.....: 74,74,66,108,66,85,131,66,98,66,92,93,66,86,87,66,123,66,86,87,66,123,66,87,78,66,325,66,139,178,66,762]
              idle: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe]
                    RISK: Unsafe Protocol
diff --git a/test/results/flow-info/imo.pcap.out b/test/results/flow-info/imo.pcap.out
index 410d68eb8..44b07de58 100644
--- a/test/results/flow-info/imo.pcap.out
+++ b/test/results/flow-info/imo.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0]
-                   [IATS(ms)....: 36.2,20.9,69.2,11.2,11.0,10.9,11.9,60.3,17.6,7.2,0.0,9.9,379.0,463.8,100.2,9.5,9.9,20.9,0.0,106.5,0.3,0.2,0.2,0.1,19.5,7.8,19.7,23.2,8.0,3.7,407.5,0.0]
+                   [IATS(ms)....: 36.2,20.9,69.2,11.2,11.0,10.9,11.9,60.3,17.6,7.2,0.0,9.9,379.0,463.8,100.2,9.5,9.9,20.9,0.0,106.5,0.3,0.2,0.2,0.1,19.5,7.8,19.7,23.2,8.0,3.7,407.5]
                    [PKTLENS.....: 43,43,149,52,52,52,52,52,52,52,52,52,52,43,142,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52]
           analyse: [.....1] [ip4][..udp] [.192.168.12.169][49207] -> [.185.155.137.30][36535] [IMO][VoIP][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -21,7 +21,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.4,41.3,0.0,43.4,10.8,2.2,0.3,10.5,8.1,9.4,10.0,55.7,0.1,0.0,9.7,18.5,13.5,0.3,9.8,9.7,9.6,13.5,0.0,69.3,127.2,99.8,16.6,835.4,861.7,1002.8,1002.6,0.0]
+                   [IATS(ms)....: 0.4,41.3,0.0,43.4,10.8,2.2,0.3,10.5,8.1,9.4,10.0,55.7,0.1,0.0,9.7,18.5,13.5,0.3,9.8,9.7,9.6,13.5,0.0,69.3,127.2,99.8,16.6,835.4,861.7,1002.8,1002.6]
                    [PKTLENS.....: 242,371,53,160,1266,1266,224,242,1266,1266,1266,1266,122,266,53,1266,52,1266,242,52,52,52,52,53,226,139,361,138,242,53,242,53]
              idle: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable]
              idle: [.....1] [ip4][..udp] [.192.168.12.169][49207] -> [.185.155.137.30][36535] [IMO][VoIP][Acceptable]
diff --git a/test/results/flow-info/instagram.pcap.out b/test/results/flow-info/instagram.pcap.out
index c4780fc04..45d5631f2 100644
--- a/test/results/flow-info/instagram.pcap.out
+++ b/test/results/flow-info/instagram.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 88.9,75.9,165.0,1522.7,1572.5,340.3,390.0,2.2,2.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,29.9,30.0,0.7,0.7,0.7,0.7,0.0]
+                   [IATS(ms)....: 88.9,75.9,165.0,1522.7,1572.5,340.3,390.0,2.2,2.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,29.9,30.0,0.7,0.7,0.7,0.7]
                    [PKTLENS.....: 1431,66,679,66,1063,66,1464,66,209,66,1464,66,1297,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66]
  detection-update: [.....2] [ip4][..tcp] [..192.168.0.103][33936] -> [....31.13.93.52][..443] [TLS.Facebook][SocialNetwork][Fun]
               new: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [MIDSTREAM] 
@@ -33,7 +33,7 @@
                    [BINS(c->s)..: 5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1]
-                   [IATS(ms)....: 32.7,33.1,0.8,0.7,1.8,2.1,0.1,0.0,0.3,0.4,0.7,0.6,0.6,0.6,0.6,0.6,0.6,0.6,11.0,1.9,2.0,0.4,0.3,0.8,1.1,0.5,0.5,0.4,0.8,4.1,0.5,0.0]
+                   [IATS(ms)....: 32.7,33.1,0.8,0.7,1.8,2.1,0.1,0.0,0.3,0.4,0.7,0.6,0.6,0.6,0.6,0.6,0.6,0.6,11.0,1.9,2.0,0.4,0.3,0.8,1.1,0.5,0.5,0.4,0.8,4.1,0.5]
                    [PKTLENS.....: 326,1484,66,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,66,1484,66,1484,66,1484,1484,1484,1484,1484,1484,66,1484]
           analyse: [.....4] [ip4][..tcp] [..192.168.0.103][57936] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -42,7 +42,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1]
-                   [IATS(ms)....: 56.8,57.1,1.2,1.0,0.6,0.6,0.4,0.4,0.5,0.5,0.7,0.7,1.3,1.3,1.2,1.2,0.5,0.5,0.4,0.5,111.5,0.0,112.0,0.3,1.3,0.1,0.0,1.0,0.9,0.8,0.5,0.0]
+                   [IATS(ms)....: 56.8,57.1,1.2,1.0,0.6,0.6,0.4,0.4,0.5,0.5,0.7,0.7,1.3,1.3,1.2,1.2,0.5,0.5,0.4,0.5,111.5,0.0,112.0,0.3,1.3,0.1,0.0,1.0,0.9,0.8,0.5]
                    [PKTLENS.....: 319,1484,66,1445,66,1484,66,1484,66,1484,66,1484,66,186,66,1484,66,1484,66,1484,66,1484,1484,66,66,1484,1484,1484,66,1484,66,1484]
  detection-update: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [HTTP.Instagram][SocialNetwork][Fun]
  detection-update: [.....5] [ip4][..tcp] [..192.168.0.103][44379] -> [...82.85.26.186][...80] [HTTP.Instagram][SocialNetwork][Fun]
@@ -54,7 +54,7 @@
                    [BINS(c->s)..: 13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1]
-                   [IATS(ms)....: 185.5,185.9,0.4,0.5,0.6,0.1,1.4,0.1,1.4,0.1,0.6,0.7,1.4,0.1,310.3,372.1,63.2,2.2,2.2,0.3,0.3,0.5,0.4,0.7,0.8,0.6,0.5,0.5,0.5,1.0,1.0,0.0]
+                   [IATS(ms)....: 185.5,185.9,0.4,0.5,0.6,0.1,1.4,0.1,1.4,0.1,0.6,0.7,1.4,0.1,310.3,372.1,63.2,2.2,2.2,0.3,0.3,0.5,0.4,0.7,0.8,0.6,0.5,0.5,0.5,1.0,1.0]
                    [PKTLENS.....: 325,1484,94,1484,1484,94,94,1484,1484,94,94,1484,94,1484,1484,325,1484,66,1484,66,1474,66,1484,66,1484,66,1484,66,1484,66,1484,1484]
               new: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] [MIDSTREAM] 
          detected: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] [HTTP.Instagram][SocialNetwork][Fun]
@@ -79,7 +79,7 @@
                    [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0]
-                   [IATS(ms)....: 0.2,0.9,1.5,2.7,0.5,0.4,0.3,0.4,1.5,0.5,1.2,1.8,0.1,0.0,2.3,0.1,3.2,0.4,3.6,1.0,0.5,0.4,2.0,0.9,0.9,0.7,3.6,0.1,4.7,0.2,7321.5,0.0]
+                   [IATS(ms)....: 0.2,0.9,1.5,2.7,0.5,0.4,0.3,0.4,1.5,0.5,1.2,1.8,0.1,0.0,2.3,0.1,3.2,0.4,3.6,1.0,0.5,0.4,2.0,0.9,0.9,0.7,3.6,0.1,4.7,0.2,7321.5]
                    [PKTLENS.....: 66,66,1484,1484,66,1484,1484,1484,1484,66,66,1484,1484,1484,1484,66,66,1484,1484,66,1484,1484,1484,66,1484,66,1484,1484,1337,66,66,66]
           guessed: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Web][Acceptable]
          detected: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Web][Acceptable]
@@ -133,7 +133,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1]
-                   [IATS(ms)....: 61.3,0.2,0.4,62.2,0.3,0.3,1.4,0.7,0.9,0.9,1.6,0.1,0.1,1.6,0.1,0.1,1.3,0.1,0.0,1.3,0.1,0.1,0.0,0.1,0.5,0.5,2.4,2.4,1.4,0.1,0.0,0.0]
+                   [IATS(ms)....: 61.3,0.2,0.4,62.2,0.3,0.3,1.4,0.7,0.9,0.9,1.6,0.1,0.1,1.6,0.1,0.1,1.3,0.1,0.0,1.3,0.1,0.1,0.0,0.1,0.5,0.5,2.4,2.4,1.4,0.1,0.0]
                    [PKTLENS.....: 326,1484,1484,1475,66,66,66,1484,66,1484,66,1484,1484,1484,66,66,66,1484,1484,1484,66,66,1484,66,66,1484,66,1484,66,396,1484,1484]
               new: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [MIDSTREAM] 
           analyse: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] 
@@ -143,7 +143,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0]
                    [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]
-                   [IATS(ms)....: 0.4,1.5,1.6,0.5,0.5,0.8,1.5,0.1,0.0,1.6,2.2,2.1,0.4,0.2,0.6,0.4,1.3,1.7,0.5,0.2,0.6,0.6,1.0,1.7,0.3,0.5,0.9,0.8,0.3,1.0,0.7,0.0]
+                   [IATS(ms)....: 0.4,1.5,1.6,0.5,0.5,0.8,1.5,0.1,0.0,1.6,2.2,2.1,0.4,0.2,0.6,0.4,1.3,1.7,0.5,0.2,0.6,0.6,1.0,1.7,0.3,0.5,0.9,0.8,0.3,1.0,0.7]
                    [PKTLENS.....: 1464,66,1464,66,1464,1464,66,1464,1464,1464,66,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464]
           guessed: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP.Facebook][SocialNetwork][Fun]
          detected: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP.Facebook][SocialNetwork][Fun]
@@ -163,7 +163,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0]
                    [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0]
-                   [IATS(ms)....: 0.1,2.1,0.4,3.4,0.0,3.2,2.3,0.4,0.9,1.9,0.2,2.6,1.8,3.8,0.1,3.8,0.2,1.3,1.3,0.4,0.2,0.2,0.3,0.5,0.5,0.9,0.9,2.1,2.1,2.0,0.1,0.0]
+                   [IATS(ms)....: 0.1,2.1,0.4,3.4,0.0,3.2,2.3,0.4,0.9,1.9,0.2,2.6,1.8,3.8,0.1,3.8,0.2,1.3,1.3,0.4,0.2,0.2,0.3,0.5,0.5,0.9,0.9,2.1,2.1,2.0,0.1]
                    [PKTLENS.....: 1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,1484]
           guessed: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Web][Acceptable]
          detected: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Web][Acceptable]
@@ -180,7 +180,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 12.4,14.6,0.1,14.6,1.7,0.0,0.0,16.8,0.1,2.0,0.5,16.5,0.7,0.2,12.5,0.6,0.5,0.9,0.3,0.3,0.2,0.2,0.1,0.2,0.3,0.2,2.4,0.1,1.6,0.1,0.1,0.0]
+                   [IATS(ms)....: 12.4,14.6,0.1,14.6,1.7,0.0,0.0,16.8,0.1,2.0,0.5,16.5,0.7,0.2,12.5,0.6,0.5,0.9,0.3,0.3,0.2,0.2,0.1,0.2,0.3,0.2,2.4,0.1,1.6,0.1,0.1]
                    [PKTLENS.....: 78,74,66,288,66,1454,1454,369,66,66,130,564,259,696,89,66,1454,1454,66,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66]
               new: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] 
               new: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] 
@@ -198,7 +198,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1]
-                   [IATS(ms)....: 12.0,14.1,0.6,0.2,14.9,0.1,0.3,0.6,0.4,0.3,0.1,14.0,0.4,0.1,0.1,0.2,0.2,1.4,0.1,1.2,0.1,0.1,0.0,0.5,10.6,8.9,1.6,2.2,142.8,158.9,0.4,0.0]
+                   [IATS(ms)....: 12.0,14.1,0.6,0.2,14.9,0.1,0.3,0.6,0.4,0.3,0.1,14.0,0.4,0.1,0.1,0.2,0.2,1.4,0.1,1.2,0.1,0.1,0.0,0.5,10.6,8.9,1.6,2.2,142.8,158.9,0.4]
                    [PKTLENS.....: 78,74,66,485,579,66,66,288,699,1454,1454,1454,66,1454,1454,1454,720,1454,150,66,66,66,66,66,66,100,66,244,66,637,699,1454]
           analyse: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -207,7 +207,7 @@
                    [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1]
-                   [IATS(ms)....: 11.1,12.2,3.4,0.1,16.0,0.2,0.5,13.0,0.5,11.8,12.0,155.6,0.5,0.1,0.3,0.1,0.1,0.3,0.0,156.5,0.1,0.1,0.1,0.3,2.7,48.7,55.9,8.2,149.2,0.5,0.0,0.0]
+                   [IATS(ms)....: 11.1,12.2,3.4,0.1,16.0,0.2,0.5,13.0,0.5,11.8,12.0,155.6,0.5,0.1,0.3,0.1,0.1,0.3,0.0,156.5,0.1,0.1,0.1,0.3,2.7,48.7,55.9,8.2,149.2,0.5,0.0]
                    [PKTLENS.....: 78,74,66,485,595,66,66,288,66,150,244,66,840,1454,1454,1454,1454,1057,1454,100,66,66,66,66,66,654,654,66,66,841,1454,1454]
              idle: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] 
              idle: [....22] [ip4][..tcp] [..192.168.0.103][41181] -> [...82.85.26.154][..443] 
@@ -260,7 +260,7 @@
                    [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 11.8,12.9,2.8,0.1,16.4,0.0,0.4,1.1,14.1,0.3,0.6,0.6,0.2,0.3,0.4,0.1,1.1,0.3,0.1,1.7,0.1,0.2,0.0,0.1,10.0,0.1,1.4,0.1,1.4,0.1,0.2,0.0]
+                   [IATS(ms)....: 11.8,12.9,2.8,0.1,16.4,0.0,0.4,1.1,14.1,0.3,0.6,0.6,0.2,0.3,0.4,0.1,1.1,0.3,0.1,1.7,0.1,0.2,0.0,0.1,10.0,0.1,1.4,0.1,1.4,0.1,0.2]
                    [PKTLENS.....: 78,74,66,470,592,66,66,288,699,66,89,150,1454,1454,1454,1454,1454,66,1454,1454,66,66,66,66,66,1454,1454,1454,1454,1454,1454,1454]
           analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -269,7 +269,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1]
-                   [IATS(ms)....: 11.1,12.4,1.2,0.5,13.3,0.6,0.1,14.2,0.6,14.4,12.5,169.6,0.3,0.2,0.1,0.3,0.1,0.2,0.2,0.0,169.7,0.1,1.8,0.2,0.1,0.5,10413.4,52.2,10469.8,9.8,75.9,0.0]
+                   [IATS(ms)....: 11.1,12.4,1.2,0.5,13.3,0.6,0.1,14.2,0.6,14.4,12.5,169.6,0.3,0.2,0.1,0.3,0.1,0.2,0.2,0.0,169.7,0.1,1.8,0.2,0.1,0.5,10413.4,52.2,10469.8,9.8,75.9]
                    [PKTLENS.....: 78,74,66,485,663,66,66,288,66,150,244,66,839,1454,1454,1454,1454,1454,642,1454,100,66,66,66,66,66,66,601,601,66,66,842]
           analyse: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -278,7 +278,7 @@
                    [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 12.1,13.3,2.5,0.5,16.0,0.0,0.8,14.0,1.4,14.5,16.1,131.7,0.0,0.9,0.2,0.3,0.0,0.1,0.3,0.2,0.2,0.2,0.3,129.9,0.1,0.1,2.6,0.1,0.1,0.0,0.0,0.0]
+                   [IATS(ms)....: 12.1,13.3,2.5,0.5,16.0,0.0,0.8,14.0,1.4,14.5,16.1,131.7,0.0,0.9,0.2,0.3,0.0,0.1,0.3,0.2,0.2,0.2,0.3,129.9,0.1,0.1,2.6,0.1,0.1,0.0,0.0]
                    [PKTLENS.....: 78,74,66,470,592,66,66,288,66,150,244,66,840,89,1454,1454,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66,66,66,66]
               end: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun]
               end: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun]
diff --git a/test/results/flow-info/iphone.pcap.out b/test/results/flow-info/iphone.pcap.out
index ebe66274d..5bed52647 100644
--- a/test/results/flow-info/iphone.pcap.out
+++ b/test/results/flow-info/iphone.pcap.out
@@ -140,7 +140,7 @@
                    [BINS(c->s)..: 8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0]
-                   [IATS(ms)....: 34.0,135.8,0.2,135.5,2.1,0.2,8.7,0.0,162.5,0.9,167.4,319.4,0.0,34.7,0.1,651.1,0.6,0.0,0.1,0.1,0.0,0.1,0.2,686.2,0.0,1.2,0.0,33.7,32.5,122.6,156.5,0.0]
+                   [IATS(ms)....: 34.0,135.8,0.2,135.5,2.1,0.2,8.7,0.0,162.5,0.9,167.4,319.4,0.0,34.7,0.1,651.1,0.6,0.0,0.1,0.1,0.0,0.1,0.2,686.2,0.0,1.2,0.0,33.7,32.5,122.6,156.5]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1090,438,104,200,438,66,104,66,66,66,66,637,66]
               new: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] 
          detected: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun]
@@ -152,7 +152,7 @@
                    [BINS(c->s)..: 9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1]
-                   [IATS(ms)....: 34.1,36.1,0.1,34.7,1.6,0.1,2.3,0.1,140.2,0.4,7.3,143.3,0.0,33.9,0.1,1.5,0.0,0.0,0.3,0.4,0.0,0.1,34.9,0.0,1.2,0.0,128.2,155.2,168.0,510.7,654.8,0.0]
+                   [IATS(ms)....: 34.1,36.1,0.1,34.7,1.6,0.1,2.3,0.1,140.2,0.4,7.3,143.3,0.0,33.9,0.1,1.5,0.0,0.0,0.3,0.4,0.0,0.1,34.9,0.0,1.2,0.0,128.2,155.2,168.0,510.7,654.8]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1084,104,450,104,66,104,66,66,66,750,66,54,66]
           analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -161,7 +161,7 @@
                    [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1]
-                   [IATS(ms)....: 33.3,146.1,0.1,147.3,1.4,0.2,0.1,0.0,38.6,0.0,0.1,10.9,46.9,12.5,120.2,0.0,0.0,0.2,1.1,0.1,1.5,0.5,107.4,0.0,1.2,31.0,0.5,3.7,0.0,4.5,82.6,0.0]
+                   [IATS(ms)....: 33.3,146.1,0.1,147.3,1.4,0.2,0.1,0.0,38.6,0.0,0.1,10.9,46.9,12.5,120.2,0.0,0.0,0.2,1.1,0.1,1.5,0.5,107.4,0.0,1.2,31.0,0.5,3.7,0.0,4.5,82.6]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,456,66,66,66,146,353,353,112,109,101,1506,566,832,66,66,66,136,66,66,97,66,101,66,66]
           analyse: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -170,7 +170,7 @@
                    [BINS(c->s)..: 8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0]
-                   [IATS(ms)....: 146.0,171.0,0.4,171.3,2.7,0.1,11.1,1.3,11.2,179.7,0.0,0.1,0.1,15.6,168.2,146.4,161.4,0.7,308.7,51.5,198.2,655.7,0.2,0.2,0.3,803.5,1.3,180.3,0.3,0.3,0.2,0.0]
+                   [IATS(ms)....: 146.0,171.0,0.4,171.3,2.7,0.1,11.1,1.3,11.2,179.7,0.0,0.1,0.1,15.6,168.2,146.4,161.4,0.7,308.7,51.5,198.2,655.7,0.2,0.2,0.3,803.5,1.3,180.3,0.3,0.3,0.2]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,1506,1488,66,66,66,66,159,117,66,1183,358,66,1010,66,1178,1506,1506,1506,66,66,1506,1506,1506,1506]
  detection-update: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Web][Acceptable]
               new: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] 
diff --git a/test/results/flow-info/ipp.pcap.out b/test/results/flow-info/ipp.pcap.out
index ffa682f97..29f69fb88 100644
--- a/test/results/flow-info/ipp.pcap.out
+++ b/test/results/flow-info/ipp.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9]
                    [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 0.7,0.7,0.1,0.0,3.6,1.6,5.1,0.1,0.0,5.8,5.7,0.0,3.7,3.6,0.0,7.3,7.3,0.0,8.8,8.8,0.0,9.1,9.1,0.0,7.2,7.2,0.0,7.6,7.6,0.0,7.2,0.0]
+                   [IATS(ms)....: 0.7,0.7,0.1,0.0,3.6,1.6,5.1,0.1,0.0,5.8,5.7,0.0,3.7,3.6,0.0,7.3,7.3,0.0,8.8,8.8,0.0,9.1,9.1,0.0,7.2,7.2,0.0,7.6,7.6,0.0,7.2]
                    [PKTLENS.....: 74,74,66,210,214,66,91,66,2962,1514,66,2962,1586,66,1442,1610,66,1418,1634,66,1394,1658,66,1370,1682,66,1346,1706,66,1322,1730,66]
               new: [.....3] [ip4][..tcp] [....10.10.10.49][55343] -> [...10.10.10.251][..631] 
          detected: [.....3] [ip4][..tcp] [....10.10.10.49][55343] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable]
diff --git a/test/results/flow-info/ipsec_isakmp_esp.pcap.out b/test/results/flow-info/ipsec_isakmp_esp.pcap.out
index b158fc2d4..7567bc653 100644
--- a/test/results/flow-info/ipsec_isakmp_esp.pcap.out
+++ b/test/results/flow-info/ipsec_isakmp_esp.pcap.out
@@ -18,7 +18,7 @@
                    [BINS(c->s)..: 0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]
-                   [IATS(ms)....: 122.0,677.0,771.0,222.0,34.0,2372.0,1.0,23.0,2387.0,22.0,24.0,661960.0,662067.0,681.0,743.0,195.0,34.0,407.0,421.0,4.0,138.0,188.0,12771.0,421390.0,408766.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 122.0,677.0,771.0,222.0,34.0,2372.0,1.0,23.0,2387.0,22.0,24.0,661960.0,662067.0,681.0,743.0,195.0,34.0,407.0,421.0,4.0,138.0,188.0,12771.0,421390.0,408766.0]
                    [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,1374,174,174,174,942,174,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]
            update: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe]
            update: [.....2] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.193][..500] [IPSec][VPN][Safe]
@@ -124,7 +124,7 @@
                    [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: ]
                    [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]
           analyse: [....23] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.227][..500] [IPSec][VPN][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -133,7 +133,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: ]
                    [PKTLENS.....: 818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330]
               new: [....25] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.226][..500] 
          detected: [....25] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.226][..500] [IPSec][VPN][Safe]
@@ -150,7 +150,7 @@
                    [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: ]
                    [PKTLENS.....: 858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250]
               new: [....29] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][.4500] 
          detected: [....29] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][.4500] [IPSec][VPN][Safe]
@@ -175,7 +175,7 @@
                    [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: ]
                    [PKTLENS.....: 858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]
           analyse: [....18] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.225][.4500] [IPSec][VPN][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -184,7 +184,7 @@
                    [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: ]
                    [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]
              idle: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe]
              idle: [....20] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.131][.4500] [IPSec][VPN][Safe]
diff --git a/test/results/flow-info/jabber.pcap.out b/test/results/flow-info/jabber.pcap.out
index 1f1f26737..d92f7fb7b 100644
--- a/test/results/flow-info/jabber.pcap.out
+++ b/test/results/flow-info/jabber.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]
-                   [IATS(ms)....: 0.4,0.5,0.4,0.8,0.4,0.4,12.4,12.8,2.4,2.4,0.3,2.0,1.6,0.2,40.8,37.0,77.5,0.2,0.6,337.3,337.7,0.4,0.8,51.1,51.5,6.4,6.4,0.3,0.8,109.1,109.6,0.0]
+                   [IATS(ms)....: 0.4,0.5,0.4,0.8,0.4,0.4,12.4,12.8,2.4,2.4,0.3,2.0,1.6,0.2,40.8,37.0,77.5,0.2,0.6,337.3,337.7,0.4,0.8,51.1,51.5,6.4,6.4,0.3,0.8,109.1,109.6]
                    [PKTLENS.....: 78,74,66,88,66,182,66,245,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]
               new: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] 
          detected: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable]
@@ -21,7 +21,7 @@
                    [BINS(c->s)..: 11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]
-                   [IATS(ms)....: 0.7,0.7,0.1,0.5,0.4,0.3,0.2,0.5,0.1,0.1,0.2,1.4,1.3,0.2,39.8,41.0,80.7,0.2,0.6,336.4,336.8,0.3,0.8,51.2,51.7,0.1,0.1,0.3,0.8,115.1,115.6,0.0]
+                   [IATS(ms)....: 0.7,0.7,0.1,0.5,0.4,0.3,0.2,0.5,0.1,0.1,0.2,1.4,1.3,0.2,39.8,41.0,80.7,0.2,0.6,336.4,336.8,0.3,0.8,51.2,51.7,0.1,0.1,0.3,0.8,115.1,115.6]
                    [PKTLENS.....: 78,74,66,88,66,182,66,243,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]
               new: [.....3] [ip4][..tcp] [....172.16.0.62][57126] -> [...172.16.1.138][.5222] [MIDSTREAM] 
          detected: [.....3] [ip4][..tcp] [....172.16.0.62][57126] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable]
@@ -44,7 +44,7 @@
                    [BINS(c->s)..: 9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 5.0,0.0,5.1,0.0,217.0,218.0,1.0,3684.5,3688.3,3.9,600484.2,600487.8,0.0,3.6,0.0,1.1,1.1,7.8,47.5,39.7,0.4,63.0,63.4,0.3,0.5,0.2,0.1,0.0,0.1,46584.0,46624.0,0.0]
+                   [IATS(ms)....: 5.0,0.0,5.1,0.0,217.0,218.0,1.0,3684.5,3688.3,3.9,600484.2,600487.8,0.0,3.6,0.0,1.1,1.1,7.8,47.5,39.7,0.4,63.0,63.4,0.3,0.5,0.2,0.1,0.0,0.1,46584.0,46624.0]
                    [PKTLENS.....: 305,474,186,66,66,248,529,66,248,193,66,216,270,172,120,66,286,66,114,66,114,66,288,66,114,167,66,66,171,66,201,66]
      DAEMON-EVENT: [Processed: 270 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
diff --git a/test/results/flow-info/kismet.pcap.out b/test/results/flow-info/kismet.pcap.out
index d09bbaf22..8bf5896fd 100644
--- a/test/results/flow-info/kismet.pcap.out
+++ b/test/results/flow-info/kismet.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.2,0.2,399.9,399.9,615.2,615.3,399.6,399.6,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.9,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.2,0.2,399.9,399.9,615.2,615.3,399.6,399.6,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.9,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8]
                    [PKTLENS.....: 66,66,54,253,54,72,54,1099,54,129,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189]
              idle: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/kontiki.pcap.out b/test/results/flow-info/kontiki.pcap.out
index d0abbfcc7..5ef4ef23e 100644
--- a/test/results/flow-info/kontiki.pcap.out
+++ b/test/results/flow-info/kontiki.pcap.out
@@ -24,7 +24,7 @@
                    [BINS(c->s)..: 7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1]
-                   [IATS(ms)....: 198.6,212.4,193.8,607.7,3.1,5.8,31.2,30.0,8.8,9.1,0.1,0.2,0.0,19.4,18.3,0.1,0.1,0.1,0.1,15.3,14.9,0.0,0.2,0.1,0.0,0.1,15.9,15.4,0.0,0.1,0.1,0.0]
+                   [IATS(ms)....: 198.6,212.4,193.8,607.7,3.1,5.8,31.2,30.0,8.8,9.1,0.1,0.2,0.0,19.4,18.3,0.1,0.1,0.1,0.1,15.3,14.9,0.0,0.2,0.1,0.0,0.1,15.9,15.4,0.0,0.1,0.1]
                    [PKTLENS.....: 46,46,46,62,70,259,513,246,218,132,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,1283,58,1283,1283,1283,1283]
              idle: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Network][Acceptable]
              idle: [.....7] [ip4][.icmp] [216.168.241.157] -> [....10.25.32.59] [ICMP][Network][Acceptable]
diff --git a/test/results/flow-info/log4j-webapp-exploit.pcap.out b/test/results/flow-info/log4j-webapp-exploit.pcap.out
index 7b6f44f10..12fbce673 100644
--- a/test/results/flow-info/log4j-webapp-exploit.pcap.out
+++ b/test/results/flow-info/log4j-webapp-exploit.pcap.out
@@ -24,7 +24,7 @@
                    [BINS(c->s)..: 17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 0.1,0.2,7288.6,7288.6,60.5,60.7,0.3,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 0.1,0.2,7288.6,7288.6,60.5,60.7,0.3,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1]
                    [PKTLENS.....: 76,76,68,71,68,69,68,69,68,69,68,69,68,69,68,69,68,69,68,71,68,73,68,71,68,71,68,71,68,71,68,71]
      not-detected: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] [Unknown][Unrated]
               new: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] 
diff --git a/test/results/flow-info/long_tls_certificate.pcap.out b/test/results/flow-info/long_tls_certificate.pcap.out
index 6b402edfd..d85fa9462 100644
--- a/test/results/flow-info/long_tls_certificate.pcap.out
+++ b/test/results/flow-info/long_tls_certificate.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1]
-                   [IATS(ms)....: 370.8,370.9,9.4,360.9,2.8,0.1,0.1,354.4,0.1,0.1,0.1,0.1,8.1,8.1,5.8,200.3,194.6,174.3,0.0,174.3,0.0,2.3,0.1,0.1,0.1,0.1,94.1,91.5,274.6,0.0,0.0,0.0]
+                   [IATS(ms)....: 370.8,370.9,9.4,360.9,2.8,0.1,0.1,354.4,0.1,0.1,0.1,0.1,8.1,8.1,5.8,200.3,194.6,174.3,0.0,174.3,0.0,2.3,0.1,0.1,0.1,0.1,94.1,91.5,274.6,0.0,0.0]
                    [PKTLENS.....: 78,78,54,571,60,1506,1506,1506,54,1506,54,1104,54,1104,66,180,1506,66,105,123,54,54,107,110,96,128,92,123,66,66,66,66]
  detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable]
               end: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable]
diff --git a/test/results/flow-info/modbus.pcap.out b/test/results/flow-info/modbus.pcap.out
index 47eec1162..8b3b6ecd8 100644
--- a/test/results/flow-info/modbus.pcap.out
+++ b/test/results/flow-info/modbus.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 1.1,1.2,0.9,1013.6,1014.2,1.5,0.9,986.5,986.9,1.2,0.9,1000.2,1000.5,1.2,0.9,1000.2,1000.6,1.2,0.9,1000.2,1000.6,1.6,0.9,999.8,1000.4,1.2,0.8,1000.2,1000.6,1.2,0.9,0.0]
+                   [IATS(ms)....: 1.1,1.2,0.9,1013.6,1014.2,1.5,0.9,986.5,986.9,1.2,0.9,1000.2,1000.5,1.2,0.9,1000.2,1000.6,1.2,0.9,1000.2,1000.6,1.6,0.9,999.8,1000.4,1.2,0.8,1000.2,1000.6,1.2,0.9]
                    [PKTLENS.....: 66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65]
              idle: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/monero.pcap.out b/test/results/flow-info/monero.pcap.out
index 513bca99f..e9a7e0fb3 100644
--- a/test/results/flow-info/monero.pcap.out
+++ b/test/results/flow-info/monero.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0]
                    [BINS(s->c)..: 10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 80.3,80.3,0.1,83.2,0.0,83.1,0.1,81.0,0.0,80.9,0.3,118.0,882.3,1042.5,71569.6,0.2,71693.1,0.0,0.7,81.6,32242.2,0.2,32323.4,1.5,82.5,7433.0,7432.9,3511.8,0.2,3592.7,1.0,0.0]
+                   [IATS(ms)....: 80.3,80.3,0.1,83.2,0.0,83.1,0.1,81.0,0.0,80.9,0.3,118.0,882.3,1042.5,71569.6,0.2,71693.1,0.0,0.7,81.6,32242.2,0.2,32323.4,1.5,82.5,7433.0,7432.9,3511.8,0.2,3592.7,1.0]
                    [PKTLENS.....: 74,74,66,164,66,128,66,161,104,185,66,126,66,376,66,1514,1496,66,66,91,66,1514,1496,66,91,66,376,66,1514,1496,66,91]
           analyse: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0]
                    [BINS(s->c)..: 4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1]
-                   [IATS(ms)....: 308.1,308.2,0.2,308.1,0.0,308.0,0.7,308.7,0.0,308.0,0.1,346.7,653.9,1043.1,114411.2,114368.8,308.6,308.5,36863.2,36863.2,20419.9,20419.9,170525.4,170525.4,113243.5,113243.5,35871.3,35871.3,15564.6,0.2,15873.5,0.0]
+                   [IATS(ms)....: 308.1,308.2,0.2,308.1,0.0,308.0,0.7,308.7,0.0,308.0,0.1,346.7,653.9,1043.1,114411.2,114368.8,308.6,308.5,36863.2,36863.2,20419.9,20419.9,170525.4,170525.4,113243.5,113243.5,35871.3,35871.3,15564.6,0.2,15873.5]
                    [PKTLENS.....: 74,66,54,152,60,116,54,147,92,173,54,114,60,364,54,364,54,364,54,364,54,364,54,364,54,364,54,364,54,1498,1486,60]
      DAEMON-EVENT: [Processed: 198 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
diff --git a/test/results/flow-info/nest_log_sink.pcap.out b/test/results/flow-info/nest_log_sink.pcap.out
index ddef9dc92..7d31b64e2 100644
--- a/test/results/flow-info/nest_log_sink.pcap.out
+++ b/test/results/flow-info/nest_log_sink.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 60.8,60066.5,60071.0,444.6,512.2,60052.4,60122.1,60064.1,60058.5,139.4,204.1,59876.0,59944.8,60065.8,60071.7,305.5,379.3,59710.1,59782.3,60066.2,60065.0,470.7,541.9,60021.2,60097.0,60072.0,60059.9,163.5,227.3,59834.0,59896.7,0.0]
+                   [IATS(ms)....: 60.8,60066.5,60071.0,444.6,512.2,60052.4,60122.1,60064.1,60058.5,139.4,204.1,59876.0,59944.8,60065.8,60071.7,305.5,379.3,59710.1,59782.3,60066.2,60065.0,470.7,541.9,60021.2,60097.0,60072.0,60059.9,163.5,227.3,59834.0,59896.7]
                    [PKTLENS.....: 60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54]
           guessed: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable]
          detected: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable]
@@ -29,7 +29,7 @@
                    [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 69.7,72.2,635.6,708.3,5.3,110.8,1347.4,1490.6,118.0,84.3,0.1,88.9,80.3,82.8,83.4,80.0,80.0,80.2,79.6,79.6,80.9,81.4,80.7,80.0,79.3,79.3,79.9,72.2,8.5,80.0,81.8,0.0]
+                   [IATS(ms)....: 69.7,72.2,635.6,708.3,5.3,110.8,1347.4,1490.6,118.0,84.3,0.1,88.9,80.3,82.8,83.4,80.0,80.0,80.2,79.6,79.6,80.9,81.4,80.7,80.0,79.3,79.3,79.9,72.2,8.5,80.0,81.8]
                    [PKTLENS.....: 60,58,60,585,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]
               new: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] 
          detected: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable]
@@ -43,7 +43,7 @@
                    [BINS(c->s)..: 9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 64.1,66.7,638.8,711.0,16.5,201.4,1246.7,1463.2,104.9,69.4,22.0,94.7,71.2,78.1,7.1,87.2,75.8,84.5,84.3,76.4,307.3,280.7,43.3,5019.6,5092.3,178.8,59560.5,59727.7,60063.8,60077.6,375.9,0.0]
+                   [IATS(ms)....: 64.1,66.7,638.8,711.0,16.5,201.4,1246.7,1463.2,104.9,69.4,22.0,94.7,71.2,78.1,7.1,87.2,75.8,84.5,84.3,76.4,307.3,280.7,43.3,5019.6,5092.3,178.8,59560.5,59727.7,60063.8,60077.6,375.9]
                    [PKTLENS.....: 60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,215,60,346,116,60,60,54,60,54,54]
               end: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable]
               end: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable]
@@ -68,7 +68,7 @@
                    [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 61.0,66.3,638.6,696.7,5.2,274.7,1166.9,1477.5,96.3,57.0,0.0,69.6,64.9,63.5,66.2,66.3,63.9,64.1,63.9,63.8,65.2,65.0,63.2,63.3,64.2,64.1,63.8,54.1,11.8,65.2,63.5,0.0]
+                   [IATS(ms)....: 61.0,66.3,638.6,696.7,5.2,274.7,1166.9,1477.5,96.3,57.0,0.0,69.6,64.9,63.5,66.2,66.3,63.9,64.1,63.9,63.8,65.2,65.0,63.2,63.3,64.2,64.1,63.8,54.1,11.8,65.2,63.5]
                    [PKTLENS.....: 60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]
               new: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] 
          detected: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable]
@@ -86,7 +86,7 @@
                    [BINS(c->s)..: 10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0]
-                   [IATS(ms)....: 66.2,68.9,635.0,702.4,15.4,246.0,1210.6,1481.6,108.8,76.2,16.8,97.4,71.0,72.8,6.7,85.9,79.2,75.8,75.0,77.2,97.4,2619.5,2881.1,371.8,59569.0,59778.5,60066.0,60063.7,377.5,447.3,59622.6,0.0]
+                   [IATS(ms)....: 66.2,68.9,635.0,702.4,15.4,246.0,1210.6,1481.6,108.8,76.2,16.8,97.4,71.0,72.8,6.7,85.9,79.2,75.8,75.0,77.2,97.4,2619.5,2881.1,371.8,59569.0,59778.5,60066.0,60063.7,377.5,447.3,59622.6]
                    [PKTLENS.....: 60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,54,60,60]
              idle: [.....6] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable]
      DAEMON-EVENT: [Processed: 424 pkts][ZLib][compressions: 0|diff: 0 / 0]
@@ -105,7 +105,7 @@
                    [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 56.8,63.4,631.1,692.5,5.0,275.3,1167.1,1475.0,94.9,57.0,0.0,68.3,63.6,63.6,63.3,63.5,64.3,71.1,70.3,64.3,64.5,64.0,64.3,64.3,63.7,63.2,62.9,53.1,10.8,65.0,64.0,0.0]
+                   [IATS(ms)....: 56.8,63.4,631.1,692.5,5.0,275.3,1167.1,1475.0,94.9,57.0,0.0,68.3,63.6,63.6,63.3,63.5,64.3,71.1,70.3,64.3,64.5,64.0,64.3,64.3,63.7,63.2,62.9,53.1,10.8,65.0,64.0]
                    [PKTLENS.....: 60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]
               new: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] 
          detected: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable]
@@ -121,7 +121,7 @@
                    [BINS(c->s)..: 10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1]
-                   [IATS(ms)....: 65.1,68.1,678.4,747.3,17.5,94.7,1396.4,1507.7,104.4,70.6,14.5,87.7,68.9,73.0,7.0,83.6,72.6,4.3,74.3,110.5,112.2,137.1,59606.1,59757.9,60076.8,60061.1,60093.4,60092.4,60108.1,60116.2,184.2,0.0]
+                   [IATS(ms)....: 65.1,68.1,678.4,747.3,17.5,94.7,1396.4,1507.7,104.4,70.6,14.5,87.7,68.9,73.0,7.0,83.6,72.6,4.3,74.3,110.5,112.2,137.1,59606.1,59757.9,60076.8,60061.1,60093.4,60092.4,60108.1,60116.2,184.2]
                    [PKTLENS.....: 60,58,60,584,54,732,60,106,54,258,54,114,176,683,60,234,204,60,234,215,346,116,60,60,54,60,54,60,54,60,54,54]
      DAEMON-EVENT: [Processed: 562 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 12|skipped: 0|!detected: 0|guessed: 1|detection-updates: 3|updates: 6]
@@ -140,7 +140,7 @@
                    [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 55.5,58.1,637.6,698.6,8.3,132.5,1319.8,1484.0,100.9,62.4,0.0,73.7,66.3,66.1,64.4,70.8,72.5,66.2,63.7,65.4,67.1,65.6,63.5,64.0,64.9,67.0,66.2,76.4,5.2,82.4,64.4,0.0]
+                   [IATS(ms)....: 55.5,58.1,637.6,698.6,8.3,132.5,1319.8,1484.0,100.9,62.4,0.0,73.7,66.3,66.1,64.4,70.8,72.5,66.2,63.7,65.4,67.1,65.6,63.5,64.0,64.9,67.0,66.2,76.4,5.2,82.4,64.4]
                    [PKTLENS.....: 60,58,60,584,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]
               new: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] 
           analyse: [....13] [ip4][..tcp] [.192.168.242.15][63350] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable]
@@ -150,7 +150,7 @@
                    [BINS(c->s)..: 10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 68.6,72.2,634.4,701.9,15.9,150.9,1314.3,1491.3,109.2,71.0,18.0,93.5,70.2,72.1,7.2,80.0,74.1,77.1,76.5,41.6,115.5,208.5,59946.9,60155.8,60057.7,60124.3,30586.0,30652.9,66.9,1.3,68.3,0.0]
+                   [IATS(ms)....: 68.6,72.2,634.4,701.9,15.9,150.9,1314.3,1491.3,109.2,71.0,18.0,93.5,70.2,72.1,7.2,80.0,74.1,77.1,76.5,41.6,115.5,208.5,59946.9,60155.8,60057.7,60124.3,30586.0,30652.9,66.9,1.3,68.3]
                    [PKTLENS.....: 60,58,60,585,54,731,60,106,54,258,54,114,176,683,60,234,204,234,215,60,346,116,60,60,54,54,60,116,54,60,60,54]
          detected: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable]
               new: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] 
@@ -167,7 +167,7 @@
                    [BINS(c->s)..: 10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 65.3,67.8,637.5,709.8,18.7,293.4,1174.5,1482.0,109.1,72.2,18.0,90.8,70.3,73.2,8.7,96.5,87.7,75.9,79.0,77.4,126.7,2595.7,2731.0,150.4,59910.8,60056.8,60173.1,60107.0,4.7,60.6,60165.3,0.0]
+                   [IATS(ms)....: 65.3,67.8,637.5,709.8,18.7,293.4,1174.5,1482.0,109.1,72.2,18.0,90.8,70.3,73.2,8.7,96.5,87.7,75.9,79.0,77.4,126.7,2595.7,2731.0,150.4,59910.8,60056.8,60173.1,60107.0,4.7,60.6,60165.3]
                    [PKTLENS.....: 60,58,60,586,54,730,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,60,54,60]
              idle: [....14] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable]
      DAEMON-EVENT: [Processed: 713 pkts][ZLib][compressions: 0|diff: 0 / 0]
diff --git a/test/results/flow-info/netbios.pcap.out b/test/results/flow-info/netbios.pcap.out
index 9d6a631aa..a2837b091 100644
--- a/test/results/flow-info/netbios.pcap.out
+++ b/test/results/flow-info/netbios.pcap.out
@@ -16,7 +16,7 @@
                    [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 471.3,14.0,264.7,470.8,80.2,113.8,555.8,80.0,113.3,146.8,489.8,113.3,146.4,750.0,33.7,749.5,308.6,441.4,307.6,628.9,121.0,628.9,471.0,279.0,470.7,458.5,291.5,334.2,123.8,93.1,532.9,0.0]
+                   [IATS(ms)....: 471.3,14.0,264.7,470.8,80.2,113.8,555.8,80.0,113.3,146.8,489.8,113.3,146.4,750.0,33.7,749.5,308.6,441.4,307.6,628.9,121.0,628.9,471.0,279.0,470.7,458.5,291.5,334.2,123.8,93.1,532.9]
                    [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]
               new: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] 
          detected: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] [NetBIOS][System][Acceptable]
@@ -46,7 +46,7 @@
                    [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 749.4,750.1,1510.9,749.4,750.1,1512.1,749.1,750.1,1513.7,749.6,750.2,1509.2,749.9,750.1,1511.1,749.1,750.1,1516.0,749.2,750.1,1508.0,749.3,750.1,1513.5,749.8,750.0,1513.1,749.2,750.1,1506.9,749.4,0.0]
+                   [IATS(ms)....: 749.4,750.1,1510.9,749.4,750.1,1512.1,749.1,750.1,1513.7,749.6,750.2,1509.2,749.9,750.1,1511.1,749.1,750.1,1516.0,749.2,750.1,1508.0,749.3,750.1,1513.5,749.8,750.0,1513.1,749.2,750.1,1506.9,749.4]
                    [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]
               new: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] 
          detected: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] [NetBIOS][System][Acceptable]
diff --git a/test/results/flow-info/netflix.pcap.out b/test/results/flow-info/netflix.pcap.out
index 1b0622088..c03fdc0b6 100644
--- a/test/results/flow-info/netflix.pcap.out
+++ b/test/results/flow-info/netflix.pcap.out
@@ -40,7 +40,7 @@
                    [BINS(c->s)..: 11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 46.0,48.6,0.6,54.0,1.6,1.0,54.9,11.1,13.5,9.4,0.3,0.4,58.7,4.6,50.8,1.9,0.2,59.5,0.6,62.1,8.5,4.7,310.9,0.6,363.7,5.8,0.1,0.1,58.1,0.2,0.1,0.0]
+                   [IATS(ms)....: 46.0,48.6,0.6,54.0,1.6,1.0,54.9,11.1,13.5,9.4,0.3,0.4,58.7,4.6,50.8,1.9,0.2,59.5,0.6,62.1,8.5,4.7,310.9,0.6,363.7,5.8,0.1,0.1,58.1,0.2,0.1]
                    [PKTLENS.....: 78,74,66,274,66,1514,1514,66,229,66,141,72,111,66,117,66,422,376,66,1006,66,126,66,422,375,66,1006,121,100,66,66,66]
           analyse: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -49,7 +49,7 @@
                    [BINS(c->s)..: 10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0]
                    [BINS(s->c)..: 5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1]
-                   [IATS(ms)....: 45.5,51.8,0.3,66.4,0.5,13.8,75.5,25.6,26.5,15.6,0.3,0.2,61.0,0.4,44.1,5.1,0.2,57.7,67.8,0.2,2.7,131.0,13.8,8.4,10.0,8.1,2.4,2.3,141.1,1.2,199.9,0.0]
+                   [IATS(ms)....: 45.5,51.8,0.3,66.4,0.5,13.8,75.5,25.6,26.5,15.6,0.3,0.2,61.0,0.4,44.1,5.1,0.2,57.7,67.8,0.2,2.7,131.0,13.8,8.4,10.0,8.1,2.4,2.3,141.1,1.2,199.9]
                    [PKTLENS.....: 78,74,66,298,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,742,66,1514,429,1514,66,1130,66,275,66,115,66,1450,581,66]
  detection-update: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] [TLS.NetFlix][Video][Fun]
               new: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] 
@@ -93,7 +93,7 @@
                    [BINS(c->s)..: 11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0]
-                   [IATS(ms)....: 50.8,52.1,3.9,68.9,0.5,14.7,80.5,16.9,16.6,16.1,0.4,0.2,66.7,0.8,50.7,3.2,0.3,61.4,291.2,0.1,350.1,11.8,12.8,24.1,12.5,12.3,13.9,13.7,2.7,13.3,16.3,0.0]
+                   [IATS(ms)....: 50.8,52.1,3.9,68.9,0.5,14.7,80.5,16.9,16.6,16.1,0.4,0.2,66.7,0.8,50.7,3.2,0.3,61.4,291.2,0.1,350.1,11.8,12.8,24.1,12.5,12.3,13.9,13.7,2.7,13.3,16.3]
                    [PKTLENS.....: 78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,686,66,1514,1514,66,1514,1416,66,1514,66,251,66,1514,1033,66]
  detection-update: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -111,7 +111,7 @@
                    [BINS(c->s)..: 8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0]
-                   [IATS(ms)....: 11.4,14.4,1.7,21.1,2.9,0.3,24.0,10.4,7.4,16.9,0.4,0.8,30.8,4.7,18.1,26.0,0.2,0.3,0.1,0.2,0.1,0.4,4.5,0.2,40.2,7.1,5.4,4.2,0.5,0.4,2.0,0.0]
+                   [IATS(ms)....: 11.4,14.4,1.7,21.1,2.9,0.3,24.0,10.4,7.4,16.9,0.4,0.8,30.8,4.7,18.1,26.0,0.2,0.3,0.1,0.2,0.1,0.4,4.5,0.2,40.2,7.1,5.4,4.2,0.5,0.4,2.0]
                    [PKTLENS.....: 78,74,66,293,66,1514,1514,66,584,66,141,72,111,66,117,66,119,116,108,214,155,155,155,155,154,134,66,104,104,406,1514,66]
           analyse: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -120,7 +120,7 @@
                    [BINS(c->s)..: 10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 49.5,50.9,4.4,54.3,2.4,1.0,53.5,43.0,42.8,12.7,0.3,0.2,57.4,5.1,49.3,4.2,0.4,50.0,75.8,32.1,2.0,0.9,5.1,4.7,0.1,7402.2,0.1,7507.8,0.9,35.7,1.0,0.0]
+                   [IATS(ms)....: 49.5,50.9,4.4,54.3,2.4,1.0,53.5,43.0,42.8,12.7,0.3,0.2,57.4,5.1,49.3,4.2,0.4,50.0,75.8,32.1,2.0,0.9,5.1,4.7,0.1,7402.2,0.1,7507.8,0.9,35.7,1.0]
                    [PKTLENS.....: 78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,675,66,66,198,110,100,66,66,66,1514,803,66,66,1514,488]
  detection-update: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -140,7 +140,7 @@
                    [BINS(c->s)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0]
-                   [IATS(ms)....: 22.7,29.1,36.8,70.3,13.3,32.4,26.0,101.8,6.9,28.0,25.2,45.0,56.4,27.1,27.2,53.8,54.3,26.1,52.1,80.7,53.8,398.5,54.3,39.9,109.6,40.5,26.1,51.5,108.1,13.3,1300.1,0.0]
+                   [IATS(ms)....: 22.7,29.1,36.8,70.3,13.3,32.4,26.0,101.8,6.9,28.0,25.2,45.0,56.4,27.1,27.2,53.8,54.3,26.1,52.1,80.7,53.8,398.5,54.3,39.9,109.6,40.5,26.1,51.5,108.1,13.3,1300.1]
                    [PKTLENS.....: 78,74,66,311,66,1514,1514,1514,66,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,94]
               new: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] 
          detected: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun]
@@ -154,7 +154,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0]
-                   [IATS(ms)....: 44.1,45.6,3.9,10.7,0.2,60.0,5.7,1.0,135.1,0.3,187.2,5.7,5.7,13.9,14.0,13.3,14.4,27.8,13.3,13.1,9.2,13.3,22.5,13.4,39.3,13.3,13.3,13.9,13.3,13.3,124.5,0.0]
+                   [IATS(ms)....: 44.1,45.6,3.9,10.7,0.2,60.0,5.7,1.0,135.1,0.3,187.2,5.7,5.7,13.9,14.0,13.3,14.4,27.8,13.3,13.1,9.2,13.3,22.5,13.4,39.3,13.3,13.3,13.9,13.3,13.3,124.5]
                    [PKTLENS.....: 78,74,66,379,1514,917,66,66,66,728,1514,66,1514,66,1514,66,1514,1514,66,1026,66,1514,1307,66,1514,1514,1514,1514,1514,1514,1514,78]
               new: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] 
          detected: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] [HTTP.NetFlix][Video][Fun]
@@ -170,7 +170,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 22.4,28.9,26.8,57.7,0.6,13.2,40.1,31.8,42.8,26.5,25.5,50.2,53.2,30.9,25.5,54.9,53.8,27.2,52.7,79.5,53.8,544.7,1520.0,11.6,27.4,27.3,28.8,635.4,3643.8,6030.9,1.1,0.0]
+                   [IATS(ms)....: 22.4,28.9,26.8,57.7,0.6,13.2,40.1,31.8,42.8,26.5,25.5,50.2,53.2,30.9,25.5,54.9,53.8,27.2,52.7,79.5,53.8,544.7,1520.0,11.6,27.4,27.3,28.8,635.4,3643.8,6030.9,1.1]
                    [PKTLENS.....: 78,74,66,312,66,1514,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,94,94,94,86,78,66,66,311,1514,1514]
  detection-update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Network][Acceptable]
               new: [....28] [ip4][..tcp] [....192.168.1.7][53153] -> [..184.25.204.24][...80] 
@@ -195,7 +195,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1]
-                   [IATS(ms)....: 24.8,26.3,3.8,42.5,4.8,43.8,27.2,40.5,69.4,43.9,44.8,78.3,38.8,79.8,102.6,28.8,14.7,354.3,85.0,14.1,12.4,12.7,651.0,22.9,582.5,8.6,27.5,16.4,16.4,14.7,15.1,0.0]
+                   [IATS(ms)....: 24.8,26.3,3.8,42.5,4.8,43.8,27.2,40.5,69.4,43.9,44.8,78.3,38.8,79.8,102.6,28.8,14.7,354.3,85.0,14.1,12.4,12.7,651.0,22.9,582.5,8.6,27.5,16.4,16.4,14.7,15.1]
                    [PKTLENS.....: 78,74,66,422,581,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,94,1514,1514,1514,1514,78,66,1514,1514,66,1514,66,1514,1514]
               new: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] 
          detected: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP.NetFlix][Video][Fun]
@@ -207,7 +207,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1]
-                   [IATS(ms)....: 18.8,21.4,5.1,35.7,1.0,5.4,35.5,13.2,14.0,20.3,20.4,13.2,116.2,170.2,28.1,56.6,51.6,31.7,27.6,12.8,327.6,131.4,638.9,580.0,19.9,15.0,30.0,13.6,42.3,118.7,118.0,0.0]
+                   [IATS(ms)....: 18.8,21.4,5.1,35.7,1.0,5.4,35.5,13.2,14.0,20.3,20.4,13.2,116.2,170.2,28.1,56.6,51.6,31.7,27.6,12.8,327.6,131.4,638.9,580.0,19.9,15.0,30.0,13.6,42.3,118.7,118.0]
                    [PKTLENS.....: 78,74,66,422,582,1514,1514,66,1514,66,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,94,1514,94,1514,86,1514,78,66,1514,66,1514]
               new: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] 
          detected: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun]
@@ -219,7 +219,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 30.8,32.5,5.5,44.3,2.2,41.1,2.9,12.8,15.6,14.9,15.0,12.8,12.7,26.4,12.8,11.9,13.3,17.2,31.0,13.3,13.6,25.6,14.3,13.9,26.7,13.8,13.3,27.2,13.3,13.3,27.2,0.0]
+                   [IATS(ms)....: 30.8,32.5,5.5,44.3,2.2,41.1,2.9,12.8,15.6,14.9,15.0,12.8,12.7,26.4,12.8,11.9,13.3,17.2,31.0,13.3,13.6,25.6,14.3,13.9,26.7,13.8,13.3,27.2,13.3,13.3,27.2]
                    [PKTLENS.....: 78,74,66,420,585,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]
           analyse: [....28] [ip4][..tcp] [....192.168.1.7][53153] -> [..184.25.204.24][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -228,7 +228,7 @@
                    [BINS(c->s)..: 17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1]
-                   [IATS(ms)....: 24.9,27.7,3.0,28.5,27.9,27.8,80.3,56.8,57.0,49.3,90.4,82.5,40.9,66.5,53.9,192.1,80.5,134.7,711.3,23.0,31.3,47.8,1645.4,40.4,54.8,160.8,1864.4,25.7,40.5,28.5,4093.6,0.0]
+                   [IATS(ms)....: 24.9,27.7,3.0,28.5,27.9,27.8,80.3,56.8,57.0,49.3,90.4,82.5,40.9,66.5,53.9,192.1,80.5,134.7,711.3,23.0,31.3,47.8,1645.4,40.4,54.8,160.8,1864.4,25.7,40.5,28.5,4093.6]
                    [PKTLENS.....: 78,74,66,282,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,94,94,94,94,94,94,94,94,86,78,78,66,1514]
               new: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] 
               new: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] 
@@ -270,7 +270,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1]
-                   [IATS(ms)....: 61.8,72.3,0.5,134.9,0.4,125.9,1162.3,73.6,0.9,212.9,11.5,409.2,101.1,1.9,70.9,2097.5,79.5,52.1,129.8,120.6,42.9,59.9,67.1,69.4,174.4,284.0,29.4,65.0,252.7,150.5,125.9,0.0]
+                   [IATS(ms)....: 61.8,72.3,0.5,134.9,0.4,125.9,1162.3,73.6,0.9,212.9,11.5,409.2,101.1,1.9,70.9,2097.5,79.5,52.1,129.8,120.6,42.9,59.9,67.1,69.4,174.4,284.0,29.4,65.0,252.7,150.5,125.9]
                    [PKTLENS.....: 78,74,66,426,584,1514,66,94,94,94,94,94,94,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,66,1514]
           analyse: [....38] [ip4][..tcp] [....192.168.1.7][53177] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -279,7 +279,7 @@
                    [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1]
-                   [IATS(ms)....: 43.7,45.8,23.6,124.8,4.9,111.6,635.9,176.1,0.2,0.1,41.6,37.4,940.2,0.9,45.4,434.5,483.8,1047.0,74.7,202.4,418.9,472.2,955.3,169.9,525.3,694.3,167.2,252.3,98.0,326.3,148.9,0.0]
+                   [IATS(ms)....: 43.7,45.8,23.6,124.8,4.9,111.6,635.9,176.1,0.2,0.1,41.6,37.4,940.2,0.9,45.4,434.5,483.8,1047.0,74.7,202.4,418.9,472.2,955.3,169.9,525.3,694.3,167.2,252.3,98.0,326.3,148.9]
                    [PKTLENS.....: 78,74,66,426,585,1514,66,86,86,78,78,78,66,102,1490,66,66,66,1514,1514,66,66,66,1514,66,66,1514,66,1514,1514,66,1514]
           analyse: [....36] [ip4][..tcp] [....192.168.1.7][53175] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -288,7 +288,7 @@
                    [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1]
-                   [IATS(ms)....: 16.1,19.4,23.6,88.6,4.0,82.2,1105.3,26.9,21.8,19.6,0.6,13.1,381.6,1636.2,66.4,119.0,421.4,408.1,882.7,90.2,143.4,490.4,519.4,92.3,121.0,487.1,597.7,217.6,227.5,270.0,221.9,0.0]
+                   [IATS(ms)....: 16.1,19.4,23.6,88.6,4.0,82.2,1105.3,26.9,21.8,19.6,0.6,13.1,381.6,1636.2,66.4,119.0,421.4,408.1,882.7,90.2,143.4,490.4,519.4,92.3,121.0,487.1,597.7,217.6,227.5,270.0,221.9]
                    [PKTLENS.....: 78,74,66,423,584,1514,66,86,86,86,78,78,78,78,1514,1514,66,78,66,1514,1514,66,66,1514,1514,66,66,1514,66,1514,78,1514]
           analyse: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -297,7 +297,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]
-                   [IATS(ms)....: 23.9,25.1,18.2,72.5,4.9,71.3,152.2,249.5,985.6,26.7,1397.2,519.1,299.5,499.9,482.3,40.5,55.6,206.8,137.1,537.5,535.2,174.3,571.8,776.0,198.8,230.5,89.9,284.0,128.1,116.3,110.5,0.0]
+                   [IATS(ms)....: 23.9,25.1,18.2,72.5,4.9,71.3,152.2,249.5,985.6,26.7,1397.2,519.1,299.5,499.9,482.3,40.5,55.6,206.8,137.1,537.5,535.2,174.3,571.8,776.0,198.8,230.5,89.9,284.0,128.1,116.3,110.5]
                    [PKTLENS.....: 78,74,66,423,584,1514,66,1514,66,94,94,1514,86,1514,78,1514,1514,1514,66,1514,66,1514,66,66,1514,66,1514,1514,66,1514,66,1514]
           analyse: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -306,7 +306,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0]
-                   [IATS(ms)....: 61.7,63.1,19.4,172.7,0.3,153.9,1162.5,94.2,1.4,12.3,104.3,65.9,674.7,41.5,40.0,488.9,2716.4,44.9,75.7,28.7,32.8,29.5,133.6,256.1,743.0,71.3,1131.5,569.7,135.4,73.6,104.1,0.0]
+                   [IATS(ms)....: 61.7,63.1,19.4,172.7,0.3,153.9,1162.5,94.2,1.4,12.3,104.3,65.9,674.7,41.5,40.0,488.9,2716.4,44.9,75.7,28.7,32.8,29.5,133.6,256.1,743.0,71.3,1131.5,569.7,135.4,73.6,104.1]
                    [PKTLENS.....: 78,74,66,424,584,1514,66,94,86,86,86,86,86,86,78,66,66,1514,1514,66,1514,66,1514,66,1514,78,66,1514,66,1514,1514,66]
           analyse: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -315,7 +315,7 @@
                    [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0]
-                   [IATS(ms)....: 20.0,22.2,5.3,69.1,0.1,72.2,626.0,607.0,26.6,520.3,51.5,55.5,593.2,41.7,80.3,418.0,3094.3,65.6,425.7,470.0,40.8,85.0,52.1,54.3,117.7,383.1,387.3,709.4,53.7,73.8,158.6,0.0]
+                   [IATS(ms)....: 20.0,22.2,5.3,69.1,0.1,72.2,626.0,607.0,26.6,520.3,51.5,55.5,593.2,41.7,80.3,418.0,3094.3,65.6,425.7,470.0,40.8,85.0,52.1,54.3,117.7,383.1,387.3,709.4,53.7,73.8,158.6]
                    [PKTLENS.....: 78,74,66,424,584,1514,66,86,86,86,86,78,78,86,78,66,66,1514,78,78,1514,1514,66,1514,66,1514,66,78,1514,78,1514,66]
           analyse: [....42] [ip4][..tcp] [....192.168.1.7][53181] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -324,7 +324,7 @@
                    [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0]
-                   [IATS(ms)....: 61.9,63.0,9.0,155.1,0.3,150.1,1152.4,92.1,0.5,591.4,113.7,141.7,52.3,0.5,39.9,381.1,2608.5,28.2,68.2,27.2,29.6,26.6,56.5,81.7,44.8,43.7,497.4,496.6,1208.9,807.4,91.6,0.0]
+                   [IATS(ms)....: 61.9,63.0,9.0,155.1,0.3,150.1,1152.4,92.1,0.5,591.4,113.7,141.7,52.3,0.5,39.9,381.1,2608.5,28.2,68.2,27.2,29.6,26.6,56.5,81.7,44.8,43.7,497.4,496.6,1208.9,807.4,91.6]
                    [PKTLENS.....: 78,74,66,425,583,1514,66,94,94,94,94,86,78,78,78,66,78,1514,1514,66,1514,66,1514,1514,66,1514,66,78,66,1514,86,86]
           analyse: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -333,7 +333,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1]
-                   [IATS(ms)....: 11.7,15.7,2.4,60.2,1.2,0.1,57.1,107.8,316.9,313.9,536.7,811.2,71.2,122.5,693.7,84.7,585.6,3064.5,52.8,57.9,98.4,231.5,526.2,115.1,0.7,585.7,117.7,1178.9,25.8,79.1,64.3,0.0]
+                   [IATS(ms)....: 11.7,15.7,2.4,60.2,1.2,0.1,57.1,107.8,316.9,313.9,536.7,811.2,71.2,122.5,693.7,84.7,585.6,3064.5,52.8,57.9,98.4,231.5,526.2,115.1,0.7,585.7,117.7,1178.9,25.8,79.1,64.3]
                    [PKTLENS.....: 78,74,66,424,584,1514,1514,66,66,1514,66,94,94,94,94,86,78,86,1514,86,1514,78,1514,94,78,66,78,66,1514,66,1514,1514]
           analyse: [....39] [ip4][..tcp] [....192.168.1.7][53178] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -342,7 +342,7 @@
                    [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 43.2,45.3,13.2,106.7,4.9,97.9,1317.7,102.1,98.2,0.2,515.8,59.8,1148.4,57.2,54.9,165.2,3546.3,68.4,92.3,156.0,131.0,70.0,95.9,104.0,104.5,205.1,729.4,92.0,551.2,1189.4,68.2,0.0]
+                   [IATS(ms)....: 43.2,45.3,13.2,106.7,4.9,97.9,1317.7,102.1,98.2,0.2,515.8,59.8,1148.4,57.2,54.9,165.2,3546.3,68.4,92.3,156.0,131.0,70.0,95.9,104.0,104.5,205.1,729.4,92.0,551.2,1189.4,68.2]
                    [PKTLENS.....: 78,74,66,423,584,1514,66,94,94,86,86,86,86,86,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,1514]
           analyse: [....40] [ip4][..tcp] [....192.168.1.7][53179] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -351,7 +351,7 @@
                    [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 41.4,43.5,2.9,82.1,0.1,78.7,1252.1,77.7,132.2,0.8,525.3,100.7,510.0,513.0,40.3,4457.1,87.0,1393.0,522.4,574.9,39.6,91.2,57.6,58.1,139.0,449.1,380.1,69.9,139.5,473.4,516.8,0.0]
+                   [IATS(ms)....: 41.4,43.5,2.9,82.1,0.1,78.7,1252.1,77.7,132.2,0.8,525.3,100.7,510.0,513.0,40.3,4457.1,87.0,1393.0,522.4,574.9,39.6,91.2,57.6,58.1,139.0,449.1,380.1,69.9,139.5,473.4,516.8]
                    [PKTLENS.....: 78,74,66,424,584,1514,66,94,94,86,86,86,86,86,78,78,1514,1514,66,66,1514,1514,66,1514,66,1514,66,1514,1514,66,66,1514]
           analyse: [....37] [ip4][..tcp] [....192.168.1.7][53176] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -360,7 +360,7 @@
                    [BINS(c->s)..: 22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1]
-                   [IATS(ms)....: 43.9,45.8,13.4,88.6,4.9,81.9,1250.8,92.5,118.4,0.7,544.2,69.2,495.5,501.7,62.9,1143.9,28.6,39.1,4432.0,83.0,87.8,169.9,586.4,795.5,292.9,509.0,501.2,1203.5,55.9,83.0,70.7,0.0]
+                   [IATS(ms)....: 43.9,45.8,13.4,88.6,4.9,81.9,1250.8,92.5,118.4,0.7,544.2,69.2,495.5,501.7,62.9,1143.9,28.6,39.1,4432.0,83.0,87.8,169.9,586.4,795.5,292.9,509.0,501.2,1203.5,55.9,83.0,70.7]
                    [PKTLENS.....: 78,74,66,424,583,1514,66,94,94,86,86,86,86,86,78,78,78,78,78,1514,66,1514,78,66,1514,78,66,66,1514,1514,66,1514]
           analyse: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -369,7 +369,7 @@
                    [BINS(c->s)..: 9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0]
                    [BINS(s->c)..: 9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1]
-                   [IATS(ms)....: 47.0,48.4,1.7,53.1,2.6,1.0,62.3,11.1,6.0,10.8,0.3,0.3,60.3,3.4,50.1,4.4,0.9,0.6,55.9,50.5,0.3,42.7,4.0,5.1,5.2,0.1,57.7,0.3,30033.4,30086.0,0.8,0.0]
+                   [IATS(ms)....: 47.0,48.4,1.7,53.1,2.6,1.0,62.3,11.1,6.0,10.8,0.3,0.3,60.3,3.4,50.1,4.4,0.9,0.6,55.9,50.5,0.3,42.7,4.0,5.1,5.2,0.1,57.7,0.3,30033.4,30086.0,0.8]
                    [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,351,66,66,66,1007,126,66,66,66,97,66]
  detection-update: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun]
               new: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] 
@@ -391,7 +391,7 @@
                    [BINS(c->s)..: 10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0]
                    [BINS(s->c)..: 7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 44.9,46.3,7.4,58.2,1.8,1.0,55.8,12.1,9.9,9.3,0.3,0.2,60.5,0.1,50.8,11.5,0.5,0.2,72.1,60.9,0.3,50.8,0.4,15.7,16.9,0.1,0.1,82.9,0.3,0.1,30431.5,0.0]
+                   [IATS(ms)....: 44.9,46.3,7.4,58.2,1.8,1.0,55.8,12.1,9.9,9.3,0.3,0.2,60.5,0.1,50.8,11.5,0.5,0.2,72.1,60.9,0.3,50.8,0.4,15.7,16.9,0.1,0.1,82.9,0.3,0.1,30431.5]
                    [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,336,66,66,66,1007,121,100,66,66,66,66]
  detection-update: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun]
          detected: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun]
@@ -416,7 +416,7 @@
                    [BINS(c->s)..: 5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
                    [BINS(s->c)..: 5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1]
-                   [IATS(ms)....: 53.4,54.6,4.5,73.7,0.5,53.6,123.5,11.6,72.5,62.7,1.5,55.8,52.4,2.2,0.2,0.4,0.2,96.3,96.4,0.2,0.1,0.1,82.6,81.7,0.9,0.2,0.2,38.2,40.6,146.6,266.1,0.0]
+                   [IATS(ms)....: 53.4,54.6,4.5,73.7,0.5,53.6,123.5,11.6,72.5,62.7,1.5,55.8,52.4,2.2,0.2,0.4,0.2,96.3,96.4,0.2,0.1,0.1,82.6,81.7,0.9,0.2,0.2,38.2,40.6,146.6,266.1]
                    [PKTLENS.....: 78,74,66,583,66,1514,1146,66,192,117,66,1058,120,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,86]
  detection-update: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -427,7 +427,7 @@
                    [BINS(c->s)..: 10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [BINS(s->c)..: 5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0]
-                   [IATS(ms)....: 50.8,52.1,6.3,61.1,40.7,74.7,170.4,11.8,79.4,67.6,2.0,57.4,55.8,1.7,0.8,0.2,0.2,82.5,79.7,0.2,94.6,127.5,60.6,282.5,10.6,27.6,38.0,39.9,42.9,7.7,0.7,0.0]
+                   [IATS(ms)....: 50.8,52.1,6.3,61.1,40.7,74.7,170.4,11.8,79.4,67.6,2.0,57.4,55.8,1.7,0.8,0.2,0.2,82.5,79.7,0.2,94.6,127.5,60.6,282.5,10.6,27.6,38.0,39.9,42.9,7.7,0.7]
                    [PKTLENS.....: 78,74,66,583,66,1514,1146,66,192,117,66,1057,120,66,1514,1514,1514,1514,66,1514,401,66,66,1257,66,1514,1500,66,115,66,97,66]
  detection-update: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -438,7 +438,7 @@
                    [BINS(c->s)..: 6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0]
-                   [IATS(ms)....: 69.5,71.0,2.6,55.6,49.1,64.4,167.9,331.9,332.6,26.5,0.7,0.7,87.7,0.5,60.7,8.8,7.1,0.4,81.1,62.8,0.8,0.2,0.1,68.1,67.1,0.8,0.2,0.1,111.2,109.6,2.5,0.0]
+                   [IATS(ms)....: 69.5,71.0,2.6,55.6,49.1,64.4,167.9,331.9,332.6,26.5,0.7,0.7,87.7,0.5,60.7,8.8,7.1,0.4,81.1,62.8,0.8,0.2,0.1,68.1,67.1,0.8,0.2,0.1,111.2,109.6,2.5]
                    [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1417,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514]
  detection-update: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][Video][Fun]
           analyse: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun]
@@ -448,7 +448,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 26.1,27.5,2.6,46.5,5.4,49.4,29.6,29.5,8.5,38.4,5.4,39.8,38.4,39.7,140.3,138.3,356.6,206.9,472.0,29.3,417.4,40.8,81.5,44.0,43.4,83.0,187.8,28.6,25.2,184.4,25.5,0.0]
+                   [IATS(ms)....: 26.1,27.5,2.6,46.5,5.4,49.4,29.6,29.5,8.5,38.4,5.4,39.8,38.4,39.7,140.3,138.3,356.6,206.9,472.0,29.3,417.4,40.8,81.5,44.0,43.4,83.0,187.8,28.6,25.2,184.4,25.5]
                    [PKTLENS.....: 78,74,66,575,635,1514,66,677,66,581,643,1514,66,1514,66,1514,1514,94,1514,78,66,1514,1514,66,1514,66,1514,86,78,66,1514,1514]
           analyse: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -457,7 +457,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0]
-                   [IATS(ms)....: 30.5,31.5,13.2,64.0,5.3,56.4,6.1,68.2,5.4,71.5,109.5,202.7,164.8,560.3,47.3,79.0,279.5,27.7,94.5,26.6,26.1,15.8,70.5,85.9,39.5,39.8,41.6,84.4,730.9,41.5,39.7,0.0]
+                   [IATS(ms)....: 30.5,31.5,13.2,64.0,5.3,56.4,6.1,68.2,5.4,71.5,109.5,202.7,164.8,560.3,47.3,79.0,279.5,27.7,94.5,26.6,26.1,15.8,70.5,85.9,39.5,39.8,41.6,84.4,730.9,41.5,39.7]
                    [PKTLENS.....: 78,74,66,571,632,965,66,578,642,1514,66,1514,1514,1514,86,78,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,78,86,78,66]
               new: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] 
          detected: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun]
@@ -469,7 +469,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0]
-                   [IATS(ms)....: 18.4,19.9,3.7,28.9,18.1,45.8,41.6,39.6,18.5,45.3,5.4,31.7,29.4,29.5,41.1,41.1,82.2,87.7,42.1,64.3,51.5,299.9,159.8,515.7,436.0,526.6,530.0,40.0,69.9,40.4,40.4,0.0]
+                   [IATS(ms)....: 18.4,19.9,3.7,28.9,18.1,45.8,41.6,39.6,18.5,45.3,5.4,31.7,29.4,29.5,41.1,41.1,82.2,87.7,42.1,64.3,51.5,299.9,159.8,515.7,436.0,526.6,530.0,40.0,69.9,40.4,40.4]
                    [PKTLENS.....: 78,74,66,575,634,1514,66,635,66,581,643,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,94,1514,78,1514,66,1514,1514,66,1514,66]
            update: [....10] [ip4][..udp] [....192.168.1.7][53776] -> [239.255.255.250][.1900] [SSDP][System][Acceptable]
            update: [.....2] [ip4][..udp] [....192.168.1.7][51543] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun]
@@ -487,7 +487,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0]
-                   [IATS(ms)....: 13.0,14.8,4.0,30.3,0.8,3.7,30.3,0.2,16.5,35.6,2.0,21.5,3.2,3.3,13.3,13.3,26.5,13.3,13.5,13.8,42.7,56.4,14.7,15.2,71.0,25.5,25.5,25.5,51.6,55.2,286.1,0.0]
+                   [IATS(ms)....: 13.0,14.8,4.0,30.3,0.8,3.7,30.3,0.2,16.5,35.6,2.0,21.5,3.2,3.3,13.3,13.3,26.5,13.3,13.5,13.8,42.7,56.4,14.7,15.2,71.0,25.5,25.5,25.5,51.6,55.2,286.1]
                    [PKTLENS.....: 78,74,66,575,634,1514,677,66,66,584,643,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,86]
            update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Network][Acceptable]
            update: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun]
@@ -535,7 +535,7 @@
                    [BINS(c->s)..: 12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 52.7,54.2,4.7,50.1,0.9,46.0,1.1,0.4,2.3,0.6,48.9,36.1,58.6,0.1,1.0,141.4,13.3,12.2,4.7,8.7,8.5,4.5,3.7,4.5,12.4,12.8,15.2,13.9,6.1,6.2,6.8,0.0]
+                   [IATS(ms)....: 52.7,54.2,4.7,50.1,0.9,46.0,1.1,0.4,2.3,0.6,48.9,36.1,58.6,0.1,1.0,141.4,13.3,12.2,4.7,8.7,8.5,4.5,3.7,4.5,12.4,12.8,15.2,13.9,6.1,6.2,6.8]
                    [PKTLENS.....: 78,74,66,274,66,211,66,72,111,1514,564,66,66,1514,227,1514,66,559,66,1005,66,439,66,1306,66,1406,66,660,66,808,66,721]
               new: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] 
          detected: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable]
@@ -551,7 +551,7 @@
                    [BINS(c->s)..: 10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 58.3,61.2,1.8,70.6,2.9,1.0,71.3,11.6,12.3,13.1,0.1,0.1,65.7,0.8,52.3,3.6,0.2,91.6,51.8,0.3,140.2,3.7,3.4,3.9,5.5,6.4,5.0,437.2,0.9,500.9,291.9,0.0]
+                   [IATS(ms)....: 58.3,61.2,1.8,70.6,2.9,1.0,71.3,11.6,12.3,13.1,0.1,0.1,65.7,0.8,52.3,3.6,0.2,91.6,51.8,0.3,140.2,3.7,3.4,3.9,5.5,6.4,5.0,437.2,0.9,500.9,291.9]
                    [PKTLENS.....: 78,74,66,583,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,803,66,1514,490,66,462,66,765,66,100,66,1514,686,66,1514]
  detection-update: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun]
           analyse: [....61] [ip4][..tcp] [....192.168.1.7][53252] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun]
@@ -561,7 +561,7 @@
                    [BINS(c->s)..: 5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 16.7,17.7,12.0,38.5,0.5,12.7,40.1,27.1,27.1,58.5,99.8,81.1,33.9,23.7,53.8,53.8,65.1,48.0,65.4,13.9,30.9,13.3,28.7,40.4,54.5,28.8,29.4,29.4,27.5,25.5,25.5,0.0]
+                   [IATS(ms)....: 16.7,17.7,12.0,38.5,0.5,12.7,40.1,27.1,27.1,58.5,99.8,81.1,33.9,23.7,53.8,53.8,65.1,48.0,65.4,13.9,30.9,13.3,28.7,40.4,54.5,28.8,29.4,29.4,27.5,25.5,25.5]
                    [PKTLENS.....: 78,74,66,311,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]
           analyse: [....60] [ip4][..tcp] [....192.168.1.7][53251] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -570,7 +570,7 @@
                    [BINS(c->s)..: 12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0]
-                   [IATS(ms)....: 15.4,16.8,2.1,27.2,1.0,1.1,27.3,38.1,39.4,39.9,44.7,83.4,40.7,236.7,277.7,1389.8,1416.3,0.3,12.8,48.7,0.2,12.8,12.8,15.9,13.8,16.3,12.8,12.7,23.2,13.3,13.2,0.0]
+                   [IATS(ms)....: 15.4,16.8,2.1,27.2,1.0,1.1,27.3,38.1,39.4,39.9,44.7,83.4,40.7,236.7,277.7,1389.8,1416.3,0.3,12.8,48.7,0.2,12.8,12.8,15.9,13.8,16.3,12.8,12.7,23.2,13.3,13.2]
                    [PKTLENS.....: 78,74,66,311,66,1514,1514,66,1514,66,1514,1514,66,1514,733,66,311,1514,1514,1514,66,66,1514,1514,66,1514,66,1514,1514,66,1514,66]
               end: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun]
              idle: [....12] [ip4][....2] [....192.168.1.7] -> [239.255.255.250] [IGMP][Network][Acceptable]
diff --git a/test/results/flow-info/nfsv2.pcap.out b/test/results/flow-info/nfsv2.pcap.out
index c122cad11..2cb0e31cb 100644
--- a/test/results/flow-info/nfsv2.pcap.out
+++ b/test/results/flow-info/nfsv2.pcap.out
@@ -21,7 +21,7 @@
                    [BINS(c->s)..: 0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 40.0,40.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 40.0,40.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0]
                    [PKTLENS.....: 166,138,166,90,174,70,174,70,206,170,166,138,166,138,174,170,198,138,174,170,174,70,174,70,174,170,174,70,214,70,166,138]
               new: [.....6] [ip4][..udp] [....139.25.22.2][.3293] -> [..139.25.22.102][..111] 
          detected: [.....6] [ip4][..udp] [....139.25.22.2][.3293] -> [..139.25.22.102][..111] [NFS][DataTransfer][Acceptable]
diff --git a/test/results/flow-info/nfsv3.pcap.out b/test/results/flow-info/nfsv3.pcap.out
index 3d56985ff..f0c174016 100644
--- a/test/results/flow-info/nfsv3.pcap.out
+++ b/test/results/flow-info/nfsv3.pcap.out
@@ -24,7 +24,7 @@
                    [BINS(c->s)..: 0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 10.0,10.0,50.0,50.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 10.0,10.0,50.0,50.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0]
                    [PKTLENS.....: 170,154,170,206,170,210,170,182,178,74,178,74,226,314,170,154,206,186,178,74,178,74,178,282,178,74,222,302,178,282,178,74]
               new: [.....7] [ip4][..udp] [....139.25.22.2][.3299] -> [..139.25.22.102][..111] 
          detected: [.....7] [ip4][..udp] [....139.25.22.2][.3299] -> [..139.25.22.102][..111] [NFS][DataTransfer][Acceptable]
diff --git a/test/results/flow-info/nintendo.pcap.out b/test/results/flow-info/nintendo.pcap.out
index aa5ee7950..cc0b61c58 100644
--- a/test/results/flow-info/nintendo.pcap.out
+++ b/test/results/flow-info/nintendo.pcap.out
@@ -18,7 +18,7 @@
                    [BINS(c->s)..: 0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 87.9,239.6,335.4,89.8,30.6,131.2,103.3,500.0,507.3,130.9,234.8,19.3,15.8,5.2,16.9,12.6,53.5,8.8,0.2,60.8,14.2,505.6,501.5,5.1,514.4,94.6,0.2,1729.7,0.1,52.6,0.1,0.0]
+                   [IATS(ms)....: 87.9,239.6,335.4,89.8,30.6,131.2,103.3,500.0,507.3,130.9,234.8,19.3,15.8,5.2,16.9,12.6,53.5,8.8,0.2,60.8,14.2,505.6,501.5,5.1,514.4,94.6,0.2,1729.7,0.1,52.6,0.1]
                    [PKTLENS.....: 102,102,198,230,118,102,150,118,102,118,150,134,118,118,118,854,118,854,102,102,118,102,102,102,102,102,118,118,118,118,118,118]
               new: [.....6] [ip4][..udp] [.192.168.12.114][52119] -> [..52.10.205.177][34343] 
               new: [.....7] [ip4][..udp] [.192.168.12.114][18874] -> [...192.168.12.1][...53] 
@@ -58,7 +58,7 @@
                    [BINS(c->s)..: 8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1]
-                   [IATS(ms)....: 6.3,307.1,3508.7,3481.6,0.2,0.0,276.4,18.5,55.2,0.1,35.7,210.9,214.2,255.3,13944.5,14019.1,0.8,0.1,5.3,332.5,29.9,280.4,254.2,215.7,3.4,13.6,231.1,4.3,259.0,453.5,730.8,0.0]
+                   [IATS(ms)....: 6.3,307.1,3508.7,3481.6,0.2,0.0,276.4,18.5,55.2,0.1,35.7,210.9,214.2,255.3,13944.5,14019.1,0.8,0.1,5.3,332.5,29.9,280.4,254.2,215.7,3.4,13.6,231.1,4.3,259.0,453.5,730.8]
                    [PKTLENS.....: 166,117,66,133,66,124,113,66,117,166,166,66,66,117,66,471,66,113,400,166,66,117,66,382,66,123,113,66,117,66,166,117]
               new: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] 
          detected: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] [Nintendo][Game][Fun]
@@ -77,7 +77,7 @@
                    [BINS(c->s)..: 0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1]
-                   [IATS(ms)....: 0.3,0.4,210.0,0.2,0.4,203.8,0.3,0.2,311.9,2.3,0.2,754.1,1.1,30.7,0.6,242.3,245.6,5.5,2.8,1.9,125.6,0.1,0.0,109.1,0.2,10.7,20.1,10.4,105.8,2.2,28.9,0.0]
+                   [IATS(ms)....: 0.3,0.4,210.0,0.2,0.4,203.8,0.3,0.2,311.9,2.3,0.2,754.1,1.1,30.7,0.6,242.3,245.6,5.5,2.8,1.9,125.6,0.1,0.0,109.1,0.2,10.7,20.1,10.4,105.8,2.2,28.9]
                    [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,102,118,118,118,118,886,102,886,118,118,102]
           analyse: [....19] [ip4][..udp] [.192.168.12.114][55915] -> [.93.237.131.235][56066] [Nintendo][Game][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -86,7 +86,7 @@
                    [BINS(c->s)..: 0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 0.7,2.7,200.8,0.2,0.4,313.8,0.2,0.3,757.9,0.1,245.9,0.2,38.4,0.2,116.7,3.0,25.9,110.5,1.2,79.7,8.0,87.9,10.1,91.9,20.1,506.4,607.1,9.7,10.2,12.9,36.7,0.0]
+                   [IATS(ms)....: 0.7,2.7,200.8,0.2,0.4,313.8,0.2,0.3,757.9,0.1,245.9,0.2,38.4,0.2,116.7,3.0,25.9,110.5,1.2,79.7,8.0,87.9,10.1,91.9,20.1,506.4,607.1,9.7,10.2,12.9,36.7]
                    [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,182,102,886,102,886,102,118,118,102,358,854,486,486]
           analyse: [....20] [ip4][..udp] [.192.168.12.114][55915] -> [..81.61.158.138][51769] [Nintendo][Game][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -95,7 +95,7 @@
                    [BINS(c->s)..: 0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0]
-                   [IATS(ms)....: 0.3,0.4,313.5,0.3,0.3,284.3,0.1,0.4,629.4,5.2,43.7,5.3,61.4,0.1,131.6,65.4,7.9,0.2,0.8,31.1,0.4,67.6,2.9,0.5,7.5,105.9,5.7,103.3,9.8,549.4,649.3,0.0]
+                   [IATS(ms)....: 0.3,0.4,313.5,0.3,0.3,284.3,0.1,0.4,629.4,5.2,43.7,5.3,61.4,0.1,131.6,65.4,7.9,0.2,0.8,31.1,0.4,67.6,2.9,0.5,7.5,105.9,5.7,103.3,9.8,549.4,649.3]
                    [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,118,118,102,118,118,886,102,886,102,118,118,102]
           guessed: [....11] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][10025] [AmazonAWS][Cloud][Acceptable]
              idle: [....11] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][10025] 
diff --git a/test/results/flow-info/nntp.pcap.out b/test/results/flow-info/nntp.pcap.out
index 96d7b006b..31650d71f 100644
--- a/test/results/flow-info/nntp.pcap.out
+++ b/test/results/flow-info/nntp.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0]
-                   [IATS(ms)....: 0.2,0.2,17.0,17.1,0.2,0.4,673.1,673.7,0.6,0.3,40.5,19518.0,19565.8,8.0,4770.1,4784.4,14.3,0.1,0.0,25683.6,25684.3,0.8,12078.4,12090.7,12.5,0.2,0.1,4544.0,0.1,4544.3,0.3,0.0]
+                   [IATS(ms)....: 0.2,0.2,17.0,17.1,0.2,0.4,673.1,673.7,0.6,0.3,40.5,19518.0,19565.8,8.0,4770.1,4784.4,14.3,0.1,0.0,25683.6,25684.3,0.8,12078.4,12090.7,12.5,0.2,0.1,4544.0,0.1,4544.3,0.3]
                    [PKTLENS.....: 74,74,66,190,66,79,66,113,92,66,115,66,79,1294,66,79,1514,66,186,66,97,116,66,77,1514,66,332,66,72,66,94,54]
               end: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/no_sni.pcap.out b/test/results/flow-info/no_sni.pcap.out
index 072d92afc..b94be78bb 100644
--- a/test/results/flow-info/no_sni.pcap.out
+++ b/test/results/flow-info/no_sni.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0]
-                   [IATS(ms)....: 137.9,138.0,4.7,0.3,0.1,180.3,3.0,178.2,0.2,0.0,0.1,2.3,6.4,1.4,5.5,15.4,0.1,0.7,0.1,1.4,74.0,13.5,4.2,2.9,0.0,76.8,0.1,5.4,2.5,0.0,8.0,0.0]
+                   [IATS(ms)....: 137.9,138.0,4.7,0.3,0.1,180.3,3.0,178.2,0.2,0.0,0.1,2.3,6.4,1.4,5.5,15.4,0.1,0.7,0.1,1.4,74.0,13.5,4.2,2.9,0.0,76.8,0.1,5.4,2.5,0.0,8.0]
                    [PKTLENS.....: 78,66,54,670,60,224,60,736,54,116,60,54,138,60,85,54,205,140,114,146,85,60,60,60,380,85,54,54,60,307,85,54]
          detected: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable]
  detection-update: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable]
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0]
-                   [IATS(ms)....: 121.2,121.3,5.4,100.4,0.4,95.3,1.0,4.8,0.1,77.1,0.5,71.8,0.2,0.4,0.6,0.2,76.9,15.5,380.4,472.6,2.8,2.8,2.1,2.1,1.6,1.6,1.4,0.3,1.6,0.6,0.6,0.0]
+                   [IATS(ms)....: 121.2,121.3,5.4,100.4,0.4,95.3,1.0,4.8,0.1,77.1,0.5,71.8,0.2,0.4,0.6,0.2,76.9,15.5,380.4,472.6,2.8,2.8,2.1,2.1,1.6,1.6,1.4,0.3,1.6,0.6,0.6]
                    [PKTLENS.....: 78,66,54,1001,60,286,54,118,224,917,60,566,54,60,85,54,85,60,60,1092,54,844,54,1445,54,1445,54,1514,407,54,1178,54]
               new: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] 
               new: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] 
@@ -49,7 +49,7 @@
                    [BINS(c->s)..: 12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 81.9,82.0,5.3,129.4,1.7,0.7,126.4,64.0,9.1,0.1,11.9,1.6,143.7,57.1,79.2,1.6,80.8,1.6,14.7,0.3,13.3,11.9,0.0,12.1,0.1,25.4,25.0,0.8,0.8,5.3,5.5,0.0]
+                   [IATS(ms)....: 81.9,82.0,5.3,129.4,1.7,0.7,126.4,64.0,9.1,0.1,11.9,1.6,143.7,57.1,79.2,1.6,80.8,1.6,14.7,0.3,13.3,11.9,0.0,12.1,0.1,25.4,25.0,0.8,0.8,5.3,5.5]
                    [PKTLENS.....: 78,66,54,766,60,1514,1385,54,118,224,380,129,129,1385,66,60,566,54,85,60,85,54,581,85,54,54,368,54,85,54,368,54]
              idle: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable]
               end: [.....7] [ip4][..tcp] [..192.168.1.119][51638] -> [..104.22.72.170][..443] 
diff --git a/test/results/flow-info/ocs.pcap.out b/test/results/flow-info/ocs.pcap.out
index a87b2756e..550d1f188 100644
--- a/test/results/flow-info/ocs.pcap.out
+++ b/test/results/flow-info/ocs.pcap.out
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 83.8,14.3,246.9,0.6,0.5,68.4,1.8,71.5,0.5,5.4,4.1,41.7,146.0,90.8,71.1,77.4,63.4,3.7,80.5,1.7,86.1,0.6,67.3,32.6,43.3,386.6,73.7,2.5,928.6,31.7,2.1,0.0]
+                   [IATS(ms)....: 83.8,14.3,246.9,0.6,0.5,68.4,1.8,71.5,0.5,5.4,4.1,41.7,146.0,90.8,71.1,77.4,63.4,3.7,80.5,1.7,86.1,0.6,67.3,32.6,43.3,386.6,73.7,2.5,928.6,31.7,2.1]
                    [PKTLENS.....: 60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64]
               new: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] 
          detected: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Web][Acceptable]
@@ -66,7 +66,7 @@
                    [BINS(c->s)..: 31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 71.4,1.5,54.8,1.1,3.6,59.9,0.6,0.1,5.3,64.8,1.7,1.5,79.5,5.5,58.4,1.8,64.6,2.0,67.5,26.5,42.9,26.0,65.4,1.0,48.6,1.3,2.0,1.3,75.5,1.4,4.8,0.0]
+                   [IATS(ms)....: 71.4,1.5,54.8,1.1,3.6,59.9,0.6,0.1,5.3,64.8,1.7,1.5,79.5,5.5,58.4,1.8,64.6,2.0,67.5,26.5,42.9,26.0,65.4,1.0,48.6,1.3,2.0,1.3,75.5,1.4,4.8]
                    [PKTLENS.....: 60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72]
            update: [....17] [ip4][..udp] [..192.168.180.2][11793] -> [........8.8.8.8][...53] 
              idle: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun]
diff --git a/test/results/flow-info/ocsp.pcapng.out b/test/results/flow-info/ocsp.pcapng.out
index 1223443e3..04d545155 100644
--- a/test/results/flow-info/ocsp.pcapng.out
+++ b/test/results/flow-info/ocsp.pcapng.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 3.4,7.0,7.4,103.0,109.3,10007.8,10013.0,10151.7,10152.0,10240.5,10240.6,10243.1,10242.9,10236.1,10235.9,10239.9,10240.5,10239.9,10239.5,5617.7,5617.9,102.9,109.3,10148.8,10155.0,10236.1,10236.1,10239.8,10239.7,10240.0,0.0,0.0]
+                   [IATS(ms)....: 3.4,7.0,7.4,103.0,109.3,10007.8,10013.0,10151.7,10152.0,10240.5,10240.6,10243.1,10242.9,10236.1,10235.9,10239.9,10240.5,10239.9,10239.5,5617.7,5617.9,102.9,109.3,10148.8,10155.0,10236.1,10236.1,10239.8,10239.7,10240.0]
                    [PKTLENS.....: 126,126,118,512,118,820,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,512,118,820,118,118,118,118,118,118,118,118]
           analyse: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] [HTTP.OCSP][Network][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 12.0,16.1,0.3,19.6,157.1,176.9,7779.8,7796.1,1.3,16.6,10045.9,10060.7,10239.9,10239.7,10239.8,10240.0,10244.0,10243.9,10239.9,10240.0,10236.0,10236.1,10243.9,10244.0,10236.0,10235.9,10240.0,10239.8,10240.0,10240.0,10239.9,0.0]
+                   [IATS(ms)....: 12.0,16.1,0.3,19.6,157.1,176.9,7779.8,7796.1,1.3,16.6,10045.9,10060.7,10239.9,10239.7,10239.8,10240.0,10244.0,10243.9,10239.9,10240.0,10236.0,10236.1,10243.9,10244.0,10236.0,10235.9,10240.0,10239.8,10240.0,10240.0,10239.9]
                    [PKTLENS.....: 126,126,118,504,118,1007,118,504,118,1007,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]
               new: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] 
          detected: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe]
@@ -47,7 +47,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 3.1,7.5,2.6,10.4,0.3,8.0,10198.6,10205.6,10239.9,10239.7,10240.0,10239.8,10240.1,10240.2,10239.7,10239.9,594.5,595.4,7.8,0.3,7.9,7.3,10142.0,10148.6,10239.9,10240.0,10239.9,10239.9,10240.0,10239.9,10239.9,0.0]
+                   [IATS(ms)....: 3.1,7.5,2.6,10.4,0.3,8.0,10198.6,10205.6,10239.9,10239.7,10240.0,10239.8,10240.1,10240.2,10239.7,10239.9,594.5,595.4,7.8,0.3,7.9,7.3,10142.0,10148.6,10239.9,10240.0,10239.9,10239.9,10240.0,10239.9,10239.9]
                    [PKTLENS.....: 126,126,118,505,118,917,118,118,118,118,118,118,118,118,118,118,118,505,917,118,505,917,118,118,118,118,118,118,118,118,118,118]
      DAEMON-EVENT: [Processed: 207 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -63,7 +63,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 3.4,7.4,0.9,8.1,0.6,9.1,10126.9,10134.8,10240.4,10240.5,10239.2,10239.6,10239.9,10239.7,10239.9,10239.5,10239.9,10240.2,10239.9,10240.1,10240.6,10240.2,10239.6,10239.4,10239.5,10240.0,10240.0,10240.0,2594.9,0.0,0.0,0.0]
+                   [IATS(ms)....: 3.4,7.4,0.9,8.1,0.6,9.1,10126.9,10134.8,10240.4,10240.5,10239.2,10239.6,10239.9,10239.7,10239.9,10239.5,10239.9,10240.2,10239.9,10240.1,10240.6,10240.2,10239.6,10239.4,10239.5,10240.0,10240.0,10240.0,2594.9]
                    [PKTLENS.....: 126,126,118,519,118,1462,772,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]
           analyse: [.....7] [ip4][..tcp] [..192.168.1.128][49382] -> [....52.85.15.92][...80] [HTTP.OCSP][Network][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -72,7 +72,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 12.0,16.5,0.4,17.1,110.0,126.6,9996.4,10012.4,10239.9,10239.8,10239.9,10240.2,10239.9,10239.6,10240.0,10240.0,10239.9,10240.1,10239.9,10239.7,10239.9,10240.0,10240.6,10240.6,10239.8,10239.8,10239.3,10239.5,3107.0,3107.9,16.9,0.0]
+                   [IATS(ms)....: 12.0,16.5,0.4,17.1,110.0,126.6,9996.4,10012.4,10239.9,10239.8,10239.9,10240.2,10239.9,10239.6,10240.0,10240.0,10239.9,10240.1,10239.9,10239.7,10239.9,10240.0,10240.6,10240.6,10239.8,10239.8,10239.3,10239.5,3107.0,3107.9,16.9]
                    [PKTLENS.....: 126,126,118,514,118,1124,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]
      DAEMON-EVENT: [Processed: 274 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 2 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -90,7 +90,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 12.2,16.6,0.5,17.8,3.4,21.7,1169.7,1186.8,9.8,24.7,1031.5,1046.7,2.5,19.0,10158.4,10174.4,10240.2,10240.5,10240.7,10240.4,10239.9,10239.9,10238.7,10240.1,10241.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 12.2,16.6,0.5,17.8,3.4,21.7,1169.7,1186.8,9.8,24.7,1031.5,1046.7,2.5,19.0,10158.4,10174.4,10240.2,10240.5,10240.7,10240.4,10239.9,10239.9,10238.7,10240.1,10241.2]
                    [PKTLENS.....: 126,126,118,504,118,1566,627,118,118,504,118,1566,627,118,118,505,118,1566,628,118,118,118,118,118,118,118,118,118,118,118,118,118]
               end: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/ookla.pcap.out b/test/results/flow-info/ookla.pcap.out
index 01d5601ce..91a870708 100644
--- a/test/results/flow-info/ookla.pcap.out
+++ b/test/results/flow-info/ookla.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 36.8,36.9,28.0,64.0,0.1,36.1,38.4,72.7,34.3,27.1,61.9,34.7,97.7,133.2,35.5,27.7,63.1,35.3,68.5,103.7,35.3,26.0,61.1,35.1,103.2,137.7,34.5,32.6,67.3,34.6,94.1,0.0]
+                   [IATS(ms)....: 36.8,36.9,28.0,64.0,0.1,36.1,38.4,72.7,34.3,27.1,61.9,34.7,97.7,133.2,35.5,27.7,63.1,35.3,68.5,103.7,35.3,26.0,61.1,35.1,103.2,137.7,34.5,32.6,67.3,34.6,94.1]
                    [PKTLENS.....: 78,74,66,69,66,100,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85]
               end: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe]
               end: [.....1] [ip4][..tcp] [....192.168.1.7][51207] -> [..46.44.253.187][...80] [HTTP.Ookla][Network][Safe]
diff --git a/test/results/flow-info/openvpn.pcap.out b/test/results/flow-info/openvpn.pcap.out
index 5987e4216..c1e86960f 100644
--- a/test/results/flow-info/openvpn.pcap.out
+++ b/test/results/flow-info/openvpn.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1]
-                   [IATS(ms)....: 54.9,55.0,945.3,997.7,0.5,52.9,0.2,76.4,76.2,41.0,2.7,0.1,43.9,0.1,0.2,0.3,40.5,40.5,41.0,41.0,0.1,0.1,0.3,41.0,41.0,40.3,40.3,0.5,0.1,0.6,40.1,0.0]
+                   [IATS(ms)....: 54.9,55.0,945.3,997.7,0.5,52.9,0.2,76.4,76.2,41.0,2.7,0.1,43.9,0.1,0.2,0.3,40.5,40.5,41.0,41.0,0.1,0.1,0.3,41.0,41.0,40.3,40.3,0.5,0.1,0.6,40.1]
                    [PKTLENS.....: 74,74,66,110,66,122,66,118,66,371,66,222,210,118,210,210,66,210,222,210,118,210,210,66,210,222,210,118,210,210,66,210]
      DAEMON-EVENT: [Processed: 95 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 195.2,195.8,0.8,177.2,176.2,0.5,0.5,0.5,0.4,0.5,0.5,98.5,98.6,29.6,29.6,19.8,19.8,0.4,0.5,50.1,50.0,29.9,30.0,20.3,20.2,9.5,9.5,38.3,38.3,31.9,31.9,0.0]
+                   [IATS(ms)....: 195.2,195.8,0.8,177.2,176.2,0.5,0.5,0.5,0.4,0.5,0.5,98.5,98.6,29.6,29.6,19.8,19.8,0.4,0.5,50.1,50.0,29.9,30.0,20.3,20.2,9.5,9.5,38.3,38.3,31.9,31.9]
                    [PKTLENS.....: 84,96,92,345,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]
              idle: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable]
                    RISK: Known Proto on Non Std Port
@@ -41,7 +41,7 @@
                    [BINS(c->s)..: 0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 2195.9,2242.5,46.7,0.1,203.1,15.1,218.1,0.6,0.6,0.5,0.5,3.5,3.5,185.2,185.2,0.4,0.4,39.5,39.5,9.4,9.4,82.3,82.3,3.8,3.8,34.2,34.2,15.7,15.7,74.3,74.3,0.0]
+                   [IATS(ms)....: 2195.9,2242.5,46.7,0.1,203.1,15.1,218.1,0.6,0.6,0.5,0.5,3.5,3.5,185.2,185.2,0.4,0.4,39.5,39.5,9.4,9.4,82.3,82.3,3.8,3.8,34.2,34.2,15.7,15.7,74.3,74.3]
                    [PKTLENS.....: 84,84,96,92,345,92,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]
              idle: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable]
                    RISK: Known Proto on Non Std Port
diff --git a/test/results/flow-info/pgm.pcap.out b/test/results/flow-info/pgm.pcap.out
index 58730cc42..f9747bd1f 100644
--- a/test/results/flow-info/pgm.pcap.out
+++ b/test/results/flow-info/pgm.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 840.7,20.8,0.0,36.8,5.6,0.1,6.6,0.0,17.0,0.0,14.9,14.7,0.0,37.3,0.0,168.2,95.0,1.6,67.0,1.6,11.0,51.2,0.0,243.0,25.5,16.0,6.4,15.0,3.5,0.1,240.0,0.0]
+                   [IATS(ms)....: 840.7,20.8,0.0,36.8,5.6,0.1,6.6,0.0,17.0,0.0,14.9,14.7,0.0,37.3,0.0,168.2,95.0,1.6,67.0,1.6,11.0,51.2,0.0,243.0,25.5,16.0,6.4,15.0,3.5,0.1,240.0]
                    [PKTLENS.....: 70,129,127,321,1344,206,126,130,170,285,252,333,179,131,227,313,129,141,148,128,129,144,146,145,128,135,133,134,133,135,126,127]
              idle: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/pinterest.pcap.out b/test/results/flow-info/pinterest.pcap.out
index 805bfdcd7..3d2cbe63f 100644
--- a/test/results/flow-info/pinterest.pcap.out
+++ b/test/results/flow-info/pinterest.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1]
-                   [IATS(ms)....: 17.6,17.7,0.5,40.0,1.7,0.0,0.0,41.2,0.0,0.0,0.2,0.0,0.2,0.0,0.0,7.0,0.3,0.4,41.6,0.0,0.0,33.9,0.5,0.0,0.5,0.2,42.0,172.4,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 17.6,17.7,0.5,40.0,1.7,0.0,0.0,41.2,0.0,0.0,0.2,0.0,0.2,0.0,0.0,7.0,0.3,0.4,41.6,0.0,0.0,33.9,0.5,0.0,0.5,0.2,42.0,172.4,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,86,86,86,1134,1134,168,86,86,86,179,185,451,86,86,344,86,152,86,86,124,86,1134,1134,563]
  detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun]
               new: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] 
@@ -51,7 +51,7 @@
                    [BINS(c->s)..: 9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0]
-                   [IATS(ms)....: 29.2,29.3,0.5,30.6,2.1,0.0,0.0,0.0,32.2,0.0,0.0,0.0,7.2,0.3,2.0,0.2,0.1,0.3,0.4,53.9,0.0,0.2,0.0,43.6,1.3,0.0,1.3,0.2,0.8,0.5,0.0,0.0]
+                   [IATS(ms)....: 29.2,29.3,0.5,30.6,2.1,0.0,0.0,0.0,32.2,0.0,0.0,0.0,7.2,0.3,2.0,0.2,0.1,0.3,0.4,53.9,0.0,0.2,0.0,43.6,1.3,0.0,1.3,0.2,0.8,0.5]
                    [PKTLENS.....: 94,94,86,603,86,1474,1474,1474,1244,86,86,86,86,179,185,377,397,364,1040,342,86,86,86,344,86,152,86,86,86,124,1474,86]
               new: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] 
          detected: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][Web][Safe]
@@ -68,7 +68,7 @@
                    [BINS(c->s)..: 12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1]
-                   [IATS(ms)....: 26.0,26.0,0.2,34.5,9.5,43.8,0.0,0.1,0.0,2.4,0.1,0.1,39.2,0.0,0.2,0.3,37.1,0.3,3.1,2.9,7.2,0.0,7.1,0.0,0.0,0.7,0.6,0.6,26.3,0.0,0.0,0.0]
+                   [IATS(ms)....: 26.0,26.0,0.2,34.5,9.5,43.8,0.0,0.1,0.0,2.4,0.1,0.1,39.2,0.0,0.2,0.3,37.1,0.3,3.1,2.9,7.2,0.0,7.1,0.0,0.0,0.7,0.6,0.6,26.3]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,303,86,150,178,409,86,86,86,666,86,117,117,86,507,832,281,86,86,86,125,86,125,86]
  detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun]
  detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun]
@@ -80,7 +80,7 @@
                    [BINS(c->s)..: 11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0]
-                   [IATS(ms)....: 23.5,23.5,0.2,32.3,1.9,0.0,34.0,0.0,0.0,0.3,0.2,0.0,1.7,0.1,0.1,35.1,5.7,3.7,0.0,42.6,0.0,0.1,39.2,93.6,132.7,1.2,0.1,0.1,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 23.5,23.5,0.2,32.3,1.9,0.0,34.0,0.0,0.0,0.3,0.2,0.0,1.7,0.1,0.1,35.1,5.7,3.7,0.0,42.6,0.0,0.1,39.2,93.6,132.7,1.2,0.1,0.1]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,86,86,86,1294,187,86,86,150,178,465,86,86,666,117,86,86,86,117,86,344,86,125,243,585]
          detected: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Web][Safe]
  detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Web][Safe]
@@ -92,7 +92,7 @@
                    [BINS(c->s)..: 11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0]
-                   [IATS(ms)....: 39.8,39.9,0.4,39.9,1.9,0.0,41.3,0.0,0.1,0.0,0.0,0.6,0.6,0.0,2.9,2.6,0.6,39.8,0.1,1.1,1.9,36.8,0.0,0.2,49.7,40.1,89.6,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 39.8,39.9,0.4,39.9,1.9,0.0,41.3,0.0,0.1,0.0,0.0,0.6,0.6,0.0,2.9,2.6,0.6,39.8,0.1,1.1,1.9,36.8,0.0,0.2,49.7,40.1,89.6]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,1134,86,86,1134,168,86,86,179,185,382,86,86,86,344,152,86,86,124,86,530,260,86]
  detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun]
           analyse: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] 
@@ -102,7 +102,7 @@
                    [BINS(c->s)..: 12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1]
-                   [IATS(ms)....: 50.3,50.3,0.2,31.7,3.1,34.6,0.0,0.7,0.7,1.2,0.0,1.2,0.0,2.6,0.1,0.2,32.3,0.0,29.5,0.0,0.5,0.0,0.5,0.0,0.0,0.6,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 50.3,50.3,0.2,31.7,3.1,34.6,0.0,0.7,0.7,1.2,0.0,1.2,0.0,2.6,0.1,0.2,32.3,0.0,29.5,0.0,0.5,0.0,0.5,0.0,0.0,0.6]
                    [PKTLENS.....: 94,94,86,603,86,1474,1474,86,86,1474,86,1474,1219,86,86,179,185,454,86,86,86,344,152,86,86,1474,1474,1474,86,86,86,1474]
  detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Media][Safe]
               new: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] 
@@ -121,7 +121,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 76.8,76.9,1.8,47.3,30.0,75.4,0.0,0.0,2.1,0.6,1.6,47.9,0.1,0.0,0.0,0.0,0.0,43.7,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 76.8,76.9,1.8,47.3,30.0,75.4,0.0,0.0,2.1,0.6,1.6,47.9,0.1,0.0,0.0,0.0,0.0,43.7,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,356,86,86,86,150,178,400,86,86,86,666,117,484,1294,1294,1294,1294,1294,86,86,86,86,86,86,86]
           analyse: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -130,7 +130,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1]
-                   [IATS(ms)....: 51.6,51.7,0.6,28.0,20.5,0.0,47.7,0.0,0.0,3.3,0.2,0.1,70.0,0.0,0.0,13.2,79.5,0.3,8.7,8.4,16.7,0.0,0.0,0.0,16.7,0.0,0.0,0.0,0.2,0.0,0.0,0.0]
+                   [IATS(ms)....: 51.6,51.7,0.6,28.0,20.5,0.0,47.7,0.0,0.0,3.3,0.2,0.1,70.0,0.0,0.0,13.2,79.5,0.3,8.7,8.4,16.7,0.0,0.0,0.0,16.7,0.0,0.0,0.0,0.2,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,326,86,86,86,150,178,347,86,86,86,666,86,117,117,86,1002,1294,1294,1294,86,86,86,86,1294,1294]
           analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -139,7 +139,7 @@
                    [BINS(c->s)..: 12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 27.0,27.1,0.2,32.3,0.0,32.0,0.0,3.9,0.4,0.1,64.7,93.2,0.0,0.0,0.3,0.0,0.0,0.0,24.3,0.0,0.0,0.0,0.2,0.0,0.0,0.1,0.0,0.0,4.4,39.9,0.0,0.0]
+                   [IATS(ms)....: 27.0,27.1,0.2,32.3,0.0,32.0,0.0,3.9,0.4,0.1,64.7,93.2,0.0,0.0,0.3,0.0,0.0,0.0,24.3,0.0,0.0,0.0,0.2,0.0,0.0,0.1,0.0,0.0,4.4,39.9]
                    [PKTLENS.....: 94,94,86,603,86,1466,993,86,86,150,178,344,344,86,86,86,265,166,130,667,86,86,86,86,497,1466,128,86,86,86,117,213]
               new: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] 
          detected: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] [TLS.Facebook][SocialNetwork][Fun]
@@ -156,7 +156,7 @@
                    [BINS(c->s)..: 7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1]
-                   [IATS(ms)....: 0.2,23.5,0.2,5.1,0.0,28.6,0.3,0.0,0.0,0.0,0.2,0.0,0.0,0.0,0.4,0.0,0.0,0.4,0.0,1.3,0.0,1.3,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.2,23.5,0.2,5.1,0.0,28.6,0.3,0.0,0.0,0.0,0.2,0.0,0.0,0.0,0.4,0.0,0.0,0.4,0.0,1.3,0.0,1.3,0.1,0.0,0.0]
                    [PKTLENS.....: 244,209,86,86,277,1294,86,1294,1294,1294,1294,86,86,1294,1294,86,1294,1294,1294,1294,86,86,1294,1294,251,125,213,86,1294,1294,1294,1294]
               new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] 
          detected: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable]
@@ -168,7 +168,7 @@
                    [BINS(c->s)..: 11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 55.5,55.6,2.6,45.1,17.8,0.0,60.2,0.0,0.3,0.3,9.4,2.5,0.6,42.9,0.2,0.0,30.6,0.2,14.9,14.7,23.0,23.0,0.0,0.1,0.1,1.6,29.4,1485.9,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 55.5,55.6,2.6,45.1,17.8,0.0,60.2,0.0,0.3,0.3,9.4,2.5,0.6,42.9,0.2,0.0,30.6,0.2,14.9,14.7,23.0,23.0,0.0,0.1,0.1,1.6,29.4,1485.9]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,587,86,150,178,458,86,86,86,666,86,117,117,86,476,149,86,86,125,86,86,125,86,251]
           analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -177,7 +177,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0]
-                   [IATS(ms)....: 23.4,23.6,0.6,27.8,5.3,0.0,32.3,0.0,0.0,3.2,0.2,0.2,43.0,0.9,0.0,0.2,40.4,0.9,3.4,2.5,21.4,0.0,21.3,0.0,7.8,0.0,0.0,7.8,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 23.4,23.6,0.6,27.8,5.3,0.0,32.3,0.0,0.0,3.2,0.2,0.2,43.0,0.9,0.0,0.2,40.4,0.9,3.4,2.5,21.4,0.0,21.3,0.0,7.8,0.0,0.0,7.8,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,336,86,86,86,150,178,341,86,86,86,666,86,117,117,86,890,1294,86,86,1294,1294,1294,1294,86,86]
           analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] [TLS.Facebook][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -186,7 +186,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1]
-                   [IATS(ms)....: 51.0,51.1,0.7,184.3,0.0,183.7,0.1,7.5,8.6,3.9,48.7,0.0,10.6,0.0,0.0,39.2,0.1,0.0,1.7,5.8,4.0,34.7,42.4,77.0,1489.8,1522.2,0.0,32.5,72.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 51.0,51.1,0.7,184.3,0.0,183.7,0.1,7.5,8.6,3.9,48.7,0.0,10.6,0.0,0.0,39.2,0.1,0.0,1.7,5.8,4.0,34.7,42.4,77.0,1489.8,1522.2,0.0,32.5,72.0]
                    [PKTLENS.....: 94,94,86,603,86,1466,994,86,86,150,178,456,86,86,86,257,166,117,86,86,86,117,121,86,86,506,86,632,86,121,86,1388]
               new: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56940] -> [......................2a04:4e42:1d::720][..443] [MIDSTREAM] 
               new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51472] -> [...............2a00:1450:4007:816::2003][..443] [MIDSTREAM] 
@@ -213,7 +213,7 @@
                    [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 46.9,46.9,0.2,112.0,45.4,0.0,157.3,0.0,0.0,2.9,0.3,3.0,37.7,0.0,1.1,0.0,32.6,0.0,0.0,0.6,1.0,0.0,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 46.9,46.9,0.2,112.0,45.4,0.0,157.3,0.0,0.0,2.9,0.3,3.0,37.7,0.0,1.1,0.0,32.6,0.0,0.0,0.6,1.0,0.0,0.3,0.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,563,86,86,86,150,178,351,86,86,86,666,500,1294,86,86,86,117,1294,1294,1294,1294,86,86,86,86]
           analyse: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -222,7 +222,7 @@
                    [BINS(c->s)..: 9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1]
-                   [IATS(ms)....: 46.5,46.6,0.4,49.8,3.6,52.9,0.0,1.3,0.0,1.3,0.0,2.4,0.3,0.5,109.0,0.0,0.0,105.9,0.0,0.0,6.5,35.8,111.1,136.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 46.5,46.6,0.4,49.8,3.6,52.9,0.0,1.3,0.0,1.3,0.0,2.4,0.3,0.5,109.0,0.0,0.0,105.9,0.0,0.0,6.5,35.8,111.1,136.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1474,1474,86,86,1474,1244,86,86,179,185,352,86,86,344,152,86,584,86,86,86,124,86,224,86,1474,1474,1474]
  detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun]
               new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] 
@@ -236,7 +236,7 @@
                    [BINS(c->s)..: 11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1]
-                   [IATS(ms)....: 21.0,21.0,0.5,37.1,8.9,0.0,45.5,0.0,2.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.1,0.0,7.8,0.5,0.4,31.0,0.0,0.4,0.0,22.8,0.0,0.4,8.3,2.6,0.0,0.0]
+                   [IATS(ms)....: 21.0,21.0,0.5,37.1,8.9,0.0,45.5,0.0,2.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.1,0.0,7.8,0.5,0.4,31.0,0.0,0.4,0.0,22.8,0.0,0.4,8.3,2.6,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,1134,1134,1134,86,86,86,86,127,86,179,185,356,86,86,344,152,86,86,124,86,1134,1134]
  detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Media][Safe]
           guessed: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/pop3_stls.pcap.out b/test/results/flow-info/pop3_stls.pcap.out
index fa44f44e9..c24de3787 100644
--- a/test/results/flow-info/pop3_stls.pcap.out
+++ b/test/results/flow-info/pop3_stls.pcap.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1]
-                   [IATS(ms)....: 68.2,69.0,68.7,120.6,119.8,1003.1,1075.3,72.5,0.5,70.8,70.3,69.5,71.0,0.2,69.9,69.1,0.3,69.2,7.0,114.4,36.0,229.4,154.0,2002.9,2072.1,69.1,0.7,117.2,116.7,68.9,75.8,0.0]
+                   [IATS(ms)....: 68.2,69.0,68.7,120.6,119.8,1003.1,1075.3,72.5,0.5,70.8,70.3,69.5,71.0,0.2,69.9,69.1,0.3,69.2,7.0,114.4,36.0,229.4,154.0,2002.9,2072.1,69.1,0.7,117.2,116.7,68.9,75.8]
                    [PKTLENS.....: 66,66,54,65,60,60,82,60,60,203,60,91,222,1514,1514,54,1514,414,54,368,60,292,85,60,107,85,60,222,98,103,96,103]
  detection-update: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe]
                    RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older)
diff --git a/test/results/flow-info/pps.pcap.out b/test/results/flow-info/pps.pcap.out
index ad8b314bb..70b216125 100644
--- a/test/results/flow-info/pps.pcap.out
+++ b/test/results/flow-info/pps.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 0.3,0.3,3.0,2.0,4.7,0.3,0.1,0.0,0.6,0.6,2.0,0.9,0.2,1.9,1.1,0.1,11.9,11.8,0.1,13.6,13.5,0.1,2.8,2.6,0.2,1.3,1.0,0.1,1.6,1.9,0.3,0.0]
+                   [IATS(ms)....: 0.3,0.3,3.0,2.0,4.7,0.3,0.1,0.0,0.6,0.6,2.0,0.9,0.2,1.9,1.1,0.1,11.9,11.8,0.1,13.6,13.5,0.1,2.8,2.6,0.2,1.3,1.0,0.1,1.6,1.9,0.3]
                    [PKTLENS.....: 1107,79,79,1107,1107,79,79,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]
      not-detected: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] [Unknown][Unrated]
           analyse: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] 
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.3,12.6,12.6,0.2,1.1,0.9,0.1,1.6,1.5,0.2,2.1,1.8,0.3,0.7,0.6,0.3,1.7,1.1,0.1,3.6,5.8,0.4,11.9,9.1,0.1,1.2,1.4,0.1,1.5,1.1,0.1,0.0]
+                   [IATS(ms)....: 0.3,12.6,12.6,0.2,1.1,0.9,0.1,1.6,1.5,0.2,2.1,1.8,0.3,0.7,0.6,0.3,1.7,1.1,0.1,3.6,5.8,0.4,11.9,9.1,0.1,1.2,1.4,0.1,1.5,1.1,0.1]
                    [PKTLENS.....: 79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]
      not-detected: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] [Unknown][Unrated]
               new: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] 
@@ -36,7 +36,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0]
-                   [IATS(ms)....: 0.4,0.2,4.9,0.2,24.3,18.9,0.1,5.4,6.9,0.2,19.1,17.6,0.1,13.8,13.8,0.1,13.1,15.4,0.1,27.0,24.4,0.2,9.0,11.0,0.4,2.0,0.9,14.1,8.3,0.1,12.1,0.0]
+                   [IATS(ms)....: 0.4,0.2,4.9,0.2,24.3,18.9,0.1,5.4,6.9,0.2,19.1,17.6,0.1,13.8,13.8,0.1,13.1,15.4,0.1,27.0,24.4,0.2,9.0,11.0,0.4,2.0,0.9,14.1,8.3,0.1,12.1]
                    [PKTLENS.....: 1107,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107]
      not-detected: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] [Unknown][Unrated]
               new: [.....9] [ip4][..tcp] [..192.168.115.8][50462] -> [.202.108.14.236][...80] [MIDSTREAM] 
@@ -48,7 +48,7 @@
                    [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0]
-                   [IATS(ms)....: 0.4,29.9,29.7,0.1,32.0,32.8,0.3,45.7,0.3,69.6,23.0,0.1,42.0,41.6,0.1,36.0,0.3,59.5,23.0,0.1,31.8,32.2,0.3,44.4,0.3,68.3,22.7,0.2,30.9,30.8,0.2,0.0]
+                   [IATS(ms)....: 0.4,29.9,29.7,0.1,32.0,32.8,0.3,45.7,0.3,69.6,23.0,0.1,42.0,41.6,0.1,36.0,0.3,59.5,23.0,0.1,31.8,32.2,0.3,44.4,0.3,68.3,22.7,0.2,30.9,30.8,0.2]
                    [PKTLENS.....: 79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79]
      not-detected: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] [Unknown][Unrated]
               new: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] 
@@ -84,7 +84,7 @@
                    [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1]
-                   [IATS(ms)....: 0.9,52.8,52.3,0.3,55.5,0.1,77.7,22.0,0.2,78.3,79.3,0.5,0.4,0.1,46.5,44.4,0.1,18.4,18.5,0.3,36.0,0.1,108.0,71.5,0.7,28.3,0.5,45.9,16.1,0.4,33.5,0.0]
+                   [IATS(ms)....: 0.9,52.8,52.3,0.3,55.5,0.1,77.7,22.0,0.2,78.3,79.3,0.5,0.4,0.1,46.5,44.4,0.1,18.4,18.5,0.3,36.0,0.1,108.0,71.5,0.7,28.3,0.5,45.9,16.1,0.4,33.5]
                    [PKTLENS.....: 79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,79,79,1107,79,79,61]
      not-detected: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] [Unknown][Unrated]
               new: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [MIDSTREAM] 
@@ -225,7 +225,7 @@
                    [BINS(c->s)..: 0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 2.9,35.0,35.8,0.0,0.1,1.0,0.0,0.0,0.0,0.0,0.0,0.0,4.1,0.0,0.0,0.0,0.0,0.6,0.0,0.0,0.0,4.3,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 2.9,35.0,35.8,0.0,0.1,1.0,0.0,0.0,0.0,0.0,0.0,0.0,4.1,0.0,0.0,0.0,0.0,0.6,0.0,0.0,0.0,4.3,0.1,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 198,566,202,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]
               new: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] 
          detected: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] [SSDP][System][Acceptable]
@@ -274,7 +274,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 61.4,0.0,0.0,0.0,0.0,30.3,0.0,0.0,0.0,25.9,0.0,0.5,0.0,0.0,0.0,0.6,0.0,3.5,0.0,0.8,0.0,0.0,0.0,0.0,0.0,2.2,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 61.4,0.0,0.0,0.0,0.0,30.3,0.0,0.0,0.0,25.9,0.0,0.5,0.0,0.0,0.0,0.6,0.0,3.5,0.0,0.8,0.0,0.0,0.0,0.0,0.0,2.2]
                    [PKTLENS.....: 303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]
               new: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] 
          detected: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] [SSDP][System][Acceptable]
@@ -289,7 +289,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 62.9,0.0,0.0,0.0,0.0,0.0,28.6,0.0,0.0,57.9,0.0,0.0,0.0,0.0,0.0,0.3,0.0,0.3,0.0,3.2,0.0,0.0,0.8,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 62.9,0.0,0.0,0.0,0.0,0.0,28.6,0.0,0.0,57.9,0.0,0.0,0.0,0.0,0.0,0.3,0.0,0.3,0.0,3.2,0.0,0.0,0.8,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]
            update: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] [SSDP][System][Acceptable]
               new: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [MIDSTREAM] 
diff --git a/test/results/flow-info/psiphon3.pcap.out b/test/results/flow-info/psiphon3.pcap.out
index 7bdfc5de8..8637a6bff 100644
--- a/test/results/flow-info/psiphon3.pcap.out
+++ b/test/results/flow-info/psiphon3.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0]
-                   [IATS(ms)....: 6.0,17.4,14.4,1.0,16.0,7.0,5.0,3.0,28.0,2.0,3.0,1.0,7.0,25.9,1.4,4.0,20.8,1.0,46.1,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 6.0,17.4,14.4,1.0,16.0,7.0,5.0,3.0,28.0,2.0,3.0,1.0,7.0,25.9,1.4,4.0,20.8,1.0,46.1,1.0]
                    [PKTLENS.....: 60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048]
  detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable]
                    RISK: Missing SNI TLS Extn
diff --git a/test/results/flow-info/quic-28.pcap.out b/test/results/flow-info/quic-28.pcap.out
index bcb88f50f..455182a57 100644
--- a/test/results/flow-info/quic-28.pcap.out
+++ b/test/results/flow-info/quic-28.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1]
-                   [IATS(ms)....: 13.6,13.8,13.9,1.1,15.1,1.4,0.0,0.0,2.2,0.3,0.0,0.0,0.0,14.7,0.0,0.0,0.0,0.0,0.0,0.0,0.0,13.8,1.2,10.5,11.8,5.5,19.9,6.5,21.0,4.0,19.1,0.0]
+                   [IATS(ms)....: 13.6,13.8,13.9,1.1,15.1,1.4,0.0,0.0,2.2,0.3,0.0,0.0,0.0,14.7,0.0,0.0,0.0,0.0,0.0,0.0,0.0,13.8,1.2,10.5,11.8,5.5,19.9,6.5,21.0,4.0,19.1]
                    [PKTLENS.....: 1242,89,1242,113,203,1242,1238,1239,259,152,103,85,85,168,112,557,85,85,110,85,85,85,85,85,700,85,147,85,859,85,122,86]
              idle: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/quic-33.pcapng.out b/test/results/flow-info/quic-33.pcapng.out
index 3d27e5175..646aa8f3f 100644
--- a/test/results/flow-info/quic-33.pcapng.out
+++ b/test/results/flow-info/quic-33.pcapng.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0]
                    [DIRECTIONS..: 0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 2.8,0.1,0.0,3.4,0.6,0.3,0.0,0.4,0.1,0.4,0.0,1.1,1.4,0.5,0.0,0.3,0.1,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 2.8,0.1,0.0,3.4,0.6,0.3,0.0,0.4,0.1,0.4,0.0,1.1,1.4,0.5,0.0,0.3,0.1,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 1294,1294,805,1502,115,117,209,117,1294,1294,373,1502,501,245,117,117,117,117,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502]
              idle: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable]
                    RISK: Known Proto on Non Std Port, Missing SNI TLS Extn
diff --git a/test/results/flow-info/quic-mvfst-22.pcap.out b/test/results/flow-info/quic-mvfst-22.pcap.out
index 87584d58c..527383a21 100644
--- a/test/results/flow-info/quic-mvfst-22.pcap.out
+++ b/test/results/flow-info/quic-mvfst-22.pcap.out
@@ -8,7 +8,7 @@
                    [BINS(c->s)..: 1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1]
-                   [IATS(ms)....: 6.6,0.2,0.0,0.0,15.8,0.2,0.1,25.7,16.5,24.4,2091.0,2072.8,30.6,212.7,1.8,0.1,243.4,0.0,25.4,21.9,80.7,0.0,0.0,0.0,0.0,96.7,35.8,60.9,0.1,0.0,0.0,0.0]
+                   [IATS(ms)....: 6.6,0.2,0.0,0.0,15.8,0.2,0.1,25.7,16.5,24.4,2091.0,2072.8,30.6,212.7,1.8,0.1,243.4,0.0,25.4,21.9,80.7,0.0,0.0,0.0,0.0,96.7,35.8,60.9,0.1,0.0]
                    [PKTLENS.....: 1274,1294,1294,235,95,1274,120,109,80,275,73,66,1142,70,74,612,1274,1235,70,70,74,66,1294,1294,1294,1294,98,79,66,1294,1294,1294]
            update: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun]
              idle: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun]
diff --git a/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out b/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out
index 21765df4b..bbd353386 100644
--- a/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out
+++ b/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 1.0,3.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 1.0,3.0,1.0]
                    [PKTLENS.....: 1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280]
              idle: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/quic-v2-01.pcapng.out b/test/results/flow-info/quic-v2-01.pcapng.out
index db094e430..020949c60 100644
--- a/test/results/flow-info/quic-v2-01.pcapng.out
+++ b/test/results/flow-info/quic-v2-01.pcapng.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0]
                    [DIRECTIONS..: 0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1]
-                   [IATS(ms)....: 2.2,0.0,0.1,2.6,0.0,0.2,0.5,0.1,0.1,0.4,0.5,0.3,0.4,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.3,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.4,0.3,0.0]
+                   [IATS(ms)....: 2.2,0.0,0.1,2.6,0.0,0.2,0.5,0.1,0.1,0.4,0.5,0.3,0.4,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.3,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.4,0.3]
                    [PKTLENS.....: 1294,1294,766,1482,445,1482,225,97,97,481,97,97,225,1482,1482,1482,1482,1482,1482,1482,1482,97,1482,1482,1482,1482,1482,1482,1482,1482,97,1482]
              idle: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable]
                    RISK: Known Proto on Non Std Port, Missing SNI TLS Extn
diff --git a/test/results/flow-info/quic.pcap.out b/test/results/flow-info/quic.pcap.out
index bbb2e87ee..1fe34e397 100644
--- a/test/results/flow-info/quic.pcap.out
+++ b/test/results/flow-info/quic.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0]
                    [BINS(s->c)..: 4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0]
-                   [IATS(ms)....: 46.0,60.1,14.8,65.4,2.5,93.4,168.1,168.1,622.7,681.3,0.0,58.0,3119.1,3197.6,0.0,0.0,54.1,25.5,1951.1,28.6,2034.7,28.3,0.0,0.0,56.9,470.8,496.4,2190.2,2289.8,44.7,126.0,0.0]
+                   [IATS(ms)....: 46.0,60.1,14.8,65.4,2.5,93.4,168.1,168.1,622.7,681.3,0.0,58.0,3119.1,3197.6,0.0,0.0,54.1,25.5,1951.1,28.6,2034.7,28.3,0.0,0.0,56.9,470.8,496.4,2190.2,2289.8,44.7,126.0]
                    [PKTLENS.....: 1392,478,1392,79,74,725,82,725,79,214,508,70,82,194,170,69,101,82,79,255,163,77,71,240,61,88,215,79,1190,77,758,469]
      DAEMON-EVENT: [Processed: 413 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -46,7 +46,7 @@
                    [BINS(c->s)..: 0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0]
                    [BINS(s->c)..: 0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1]
-                   [IATS(ms)....: 0.6,35.4,0.0,40.5,0.1,24.0,26.0,16.8,0.1,0.5,35.5,51.7,0.4,0.0,26.6,25.6,828.6,0.0,803.2,0.6,0.4,0.2,0.8,0.2,0.4,0.2,0.3,0.2,0.5,0.3,0.2,0.0]
+                   [IATS(ms)....: 0.6,35.4,0.0,40.5,0.1,24.0,26.0,16.8,0.1,0.5,35.5,51.7,0.4,0.0,26.6,25.6,828.6,0.0,803.2,0.6,0.4,0.2,0.8,0.2,0.4,0.2,0.3,0.2,0.5,0.3,0.2]
                    [PKTLENS.....: 1392,387,1392,1392,1392,383,79,82,1392,75,75,85,1392,1392,1188,82,79,1392,1392,82,1392,1392,1392,82,1392,82,1392,1392,1392,82,1392,1392]
              idle: [.....7] [ip4][..udp] [..192.168.1.105][40030] -> [.216.58.201.227][..443] [QUIC.Google][Web][Acceptable]
           guessed: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] [Google][Web][Acceptable]
diff --git a/test/results/flow-info/quic046.pcap.out b/test/results/flow-info/quic046.pcap.out
index 902209407..02443648f 100644
--- a/test/results/flow-info/quic046.pcap.out
+++ b/test/results/flow-info/quic046.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 1.0,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.7,21.2,29.5,0.4,0.2,0.2,0.2,0.2,0.2,0.3,0.3,0.3,0.2,0.3,0.2,0.2,0.3,0.3,6.5,0.2,0.5,0.7,0.2,0.0]
+                   [IATS(ms)....: 1.0,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.7,21.2,29.5,0.4,0.2,0.2,0.2,0.2,0.2,0.3,0.3,0.3,0.2,0.3,0.2,0.2,0.3,0.3,6.5,0.2,0.5,0.7,0.2]
                    [PKTLENS.....: 1392,574,128,201,199,199,200,199,205,202,1392,1392,269,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,70,62,1392,70,1392]
              idle: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/quic_q39.pcap.out b/test/results/flow-info/quic_q39.pcap.out
index 4dae20063..c09e2f48a 100644
--- a/test/results/flow-info/quic_q39.pcap.out
+++ b/test/results/flow-info/quic_q39.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0]
                    [BINS(s->c)..: 4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0]
-                   [IATS(ms)....: 8.9,36.7,89.8,0.0,404.1,1.4,298.3,119.2,0.0,434.8,6185.3,12.8,6514.6,11.4,11.4,22.7,702.6,702.7,435.3,435.2,11.4,11.4,16.0,15.9,397.2,9.2,397.7,33.9,93.4,0.1,499.9,0.0]
+                   [IATS(ms)....: 8.9,36.7,89.8,0.0,404.1,1.4,298.3,119.2,0.0,434.8,6185.3,12.8,6514.6,11.4,11.4,22.7,702.6,702.7,435.3,435.2,11.4,11.4,16.0,15.9,397.2,9.2,397.7,33.9,93.4,0.1,499.9]
                    [PKTLENS.....: 1392,1174,77,1392,73,83,83,72,305,60,83,270,1392,78,1392,1392,75,1392,74,1392,76,1392,76,1392,76,1392,730,76,76,104,60,98]
              idle: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/quic_t51.pcap.out b/test/results/flow-info/quic_t51.pcap.out
index a663a24eb..a59012dfd 100644
--- a/test/results/flow-info/quic_t51.pcap.out
+++ b/test/results/flow-info/quic_t51.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0]
-                   [IATS(ms)....: 5.9,69.3,110.8,0.0,0.0,113.6,2.3,5.8,80.0,0.0,46.4,10090.9,10162.3,246.2,1.4,0.0,331.6,26.2,19472.4,19582.6,120.2,0.7,0.2,185.0,26.5,2999.5,3090.0,125.9,1.4,0.1,205.6,0.0]
+                   [IATS(ms)....: 5.9,69.3,110.8,0.0,0.0,113.6,2.3,5.8,80.0,0.0,46.4,10090.9,10162.3,246.2,1.4,0.0,331.6,26.2,19472.4,19582.6,120.2,0.7,0.2,185.0,26.5,2999.5,3090.0,125.9,1.4,0.1,205.6]
                    [PKTLENS.....: 1392,1392,1392,1392,1392,1254,83,83,115,68,658,75,1003,67,682,68,313,75,75,511,67,734,68,151,75,75,225,67,470,68,273,75]
            update: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable]
              idle: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable]
diff --git a/test/results/flow-info/quickplay.pcap.out b/test/results/flow-info/quickplay.pcap.out
index 82c3d6a97..3955279a4 100644
--- a/test/results/flow-info/quickplay.pcap.out
+++ b/test/results/flow-info/quickplay.pcap.out
@@ -40,7 +40,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 2337.9,2470.8,5776.6,5871.2,324.6,2084.5,1689.1,182.6,2170.3,2013.3,645.6,519.6,2223.7,2353.5,480.9,4401.9,3911.8,3909.7,3936.6,2356.5,2338.3,2620.0,2626.5,2264.1,2270.5,2391.5,2349.5,2604.5,2642.0,2224.9,2252.1,0.0]
+                   [IATS(ms)....: 2337.9,2470.8,5776.6,5871.2,324.6,2084.5,1689.1,182.6,2170.3,2013.3,645.6,519.6,2223.7,2353.5,480.9,4401.9,3911.8,3909.7,3936.6,2356.5,2338.3,2620.0,2626.5,2264.1,2270.5,2391.5,2349.5,2604.5,2642.0,2224.9,2252.1]
                    [PKTLENS.....: 500,1456,500,240,585,502,1248,585,502,854,587,76,504,1268,585,502,158,502,658,502,1124,502,1208,502,348,502,1456,502,962,502,580,502]
               new: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [MIDSTREAM] 
          detected: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Chat][Fun]
diff --git a/test/results/flow-info/rdp.pcap.out b/test/results/flow-info/rdp.pcap.out
index c51d8686f..e23956442 100644
--- a/test/results/flow-info/rdp.pcap.out
+++ b/test/results/flow-info/rdp.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 42.4,42.5,0.4,46.1,45.8,5.9,50.4,44.5,5.2,48.3,43.1,41.5,86.2,44.7,10.2,53.9,43.7,0.3,43.8,43.5,0.3,43.7,43.4,0.3,0.1,43.6,40.3,83.3,0.3,42.5,42.2,0.0]
+                   [IATS(ms)....: 42.4,42.5,0.4,46.1,45.8,5.9,50.4,44.5,5.2,48.3,43.1,41.5,86.2,44.7,10.2,53.9,43.7,0.3,43.8,43.5,0.3,43.7,43.4,0.3,0.1,43.6,40.3,83.3,0.3,42.5,42.2]
                    [PKTLENS.....: 68,56,44,63,63,44,217,1223,44,170,95,44,130,335,44,616,132,44,149,77,44,535,199,44,85,81,44,84,44,85,88,44]
               end: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable]
                    RISK: Desktop/File Sharing
diff --git a/test/results/flow-info/reasm_crash_anon.pcapng.out b/test/results/flow-info/reasm_crash_anon.pcapng.out
index e16d70372..1dda04114 100644
--- a/test/results/flow-info/reasm_crash_anon.pcapng.out
+++ b/test/results/flow-info/reasm_crash_anon.pcapng.out
@@ -9,7 +9,7 @@
                    [BINS(c->s)..: 23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0]
-                   [IATS(ms)....: 0.0,1.5,1.5,0.0,1.2,1.2,0.0,30097.7,30099.5,1.8,0.0,1.2,1.2,30097.5,0.0,30099.3,1.8,1.2,30097.4,1.8,0.0,30101.7,1.2,30097.5,30165.6,1.3,69.4,30031.1,0.0,30032.8,1.7,0.0]
+                   [IATS(ms)....: 0.0,1.5,1.5,0.0,1.2,1.2,0.0,30097.7,30099.5,1.8,0.0,1.2,1.2,30097.5,0.0,30099.3,1.8,1.2,30097.4,1.8,0.0,30101.7,1.2,30097.5,30165.6,1.3,69.4,30031.1,0.0,30032.8,1.7]
                    [PKTLENS.....: 81,81,142,68,68,793,68,68,81,122,68,68,781,68,81,81,122,68,68,81,68,68,793,68,81,122,793,68,81,81,122,68]
      not-detected: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [Unknown][Unrated]
      DAEMON-EVENT: [Processed: 93 pkts][ZLib][compressions: 0|diff: 0 / 0]
diff --git a/test/results/flow-info/reasm_segv_anon.pcapng.out b/test/results/flow-info/reasm_segv_anon.pcapng.out
index 497252823..1c5472ea1 100644
--- a/test/results/flow-info/reasm_segv_anon.pcapng.out
+++ b/test/results/flow-info/reasm_segv_anon.pcapng.out
@@ -19,7 +19,7 @@
                    [BINS(c->s)..: 0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1]
-                   [IATS(ms)....: 396.0,83.8,1376.2,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,1859.1,964.9,439.7,439.7,0.1,0.0,0.0,0.0,0.0,0.1,163.9,20.1,1615.4,1799.0,0.1,0.0,155.8,155.6,0.1,0.0]
+                   [IATS(ms)....: 396.0,83.8,1376.2,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,1859.1,964.9,439.7,439.7,0.1,0.0,0.0,0.0,0.0,0.1,163.9,20.1,1615.4,1799.0,0.1,0.0,155.8,155.6,0.1]
                    [PKTLENS.....: 106,106,106,1490,1490,1490,1490,1490,1490,1490,1490,1490,1490,114,1490,114,1490,1490,1490,1490,1386,1490,1490,122,122,114,90,402,1178,114,90,402]
       ERROR-EVENT: Captured packet size is smaller than expected packet size
       ERROR-EVENT: Captured packet size is smaller than expected packet size
diff --git a/test/results/flow-info/reddit.pcap.out b/test/results/flow-info/reddit.pcap.out
index ef632d689..2ded32e29 100644
--- a/test/results/flow-info/reddit.pcap.out
+++ b/test/results/flow-info/reddit.pcap.out
@@ -22,7 +22,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 24.9,25.0,0.5,75.6,0.0,0.0,75.2,0.0,0.0,8.8,5.0,0.6,0.7,37.6,3.5,25.9,1.2,0.5,1.6,1.1,59.9,0.0,0.0,0.0,0.0,58.8,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 24.9,25.0,0.5,75.6,0.0,0.0,75.2,0.0,0.0,8.8,5.0,0.6,0.7,37.6,3.5,25.9,1.2,0.5,1.6,1.1,59.9,0.0,0.0,0.0,0.0,58.8,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,586,86,86,86,150,178,910,724,86,666,86,86,117,86,117,86,86,398,436,299,125,153,86,86,86]
           analyse: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -31,7 +31,7 @@
                    [BINS(c->s)..: 9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1]
-                   [IATS(ms)....: 33.2,33.2,0.9,66.6,0.0,0.0,0.0,0.0,65.7,0.0,0.0,0.0,13.2,0.7,0.5,42.1,0.0,27.6,0.5,0.5,1.4,59.9,0.1,1228.9,1287.6,0.9,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 33.2,33.2,0.9,66.6,0.0,0.0,0.0,0.0,65.7,0.0,0.0,0.0,13.2,0.7,0.5,42.1,0.0,27.6,0.5,0.5,1.4,59.9,0.1,1228.9,1287.6,0.9,0.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,601,86,86,86,86,179,185,459,86,344,86,86,152,86,124,86,86,1134,86,1134,1134,1134,217,1134]
  detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
               new: [.....5] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56562] -> [.....................64:ff9b::9765:798c][..443] 
@@ -101,7 +101,7 @@
                    [BINS(c->s)..: 8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0]
                    [BINS(s->c)..: 4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0]
-                   [IATS(ms)....: 29.9,29.9,0.1,38.0,2.3,0.0,40.2,0.0,0.1,0.0,0.0,2.7,0.1,0.6,0.0,0.2,0.0,41.5,1.3,39.1,1.6,0.0,7.3,1.5,7.3,2.1,0.2,0.1,0.0,0.2,0.0,0.0]
+                   [IATS(ms)....: 29.9,29.9,0.1,38.0,2.3,0.0,40.2,0.0,0.1,0.0,0.0,2.7,0.1,0.6,0.0,0.2,0.0,41.5,1.3,39.1,1.6,0.0,7.3,1.5,7.3,2.1,0.2,0.1,0.0,0.2]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,606,86,86,179,185,375,405,1474,283,86,344,86,209,241,86,152,86,231,124,196,197,308]
  detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
  detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
@@ -114,7 +114,7 @@
                    [BINS(c->s)..: 8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 38.7,38.7,0.2,38.5,0.0,38.3,0.0,0.0,0.3,0.3,0.0,2.2,2.8,0.2,0.2,6.5,48.3,2.9,39.3,6.8,2.7,0.0,9.6,0.3,0.8,2.1,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 38.7,38.7,0.2,38.5,0.0,38.3,0.0,0.0,0.3,0.3,0.0,2.2,2.8,0.2,0.2,6.5,48.3,2.9,39.3,6.8,2.7,0.0,9.6,0.3,0.8,2.1,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1134,86,1134,86,1134,616,86,86,179,185,450,482,129,86,344,86,86,86,152,86,124,86,1134,1134,1134,1134,1134]
  detection-update: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56578] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
           analyse: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56582] -> [.....................64:ff9b::9765:798c][..443] 
@@ -124,7 +124,7 @@
                    [BINS(c->s)..: 10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 36.1,36.1,0.1,41.3,0.0,41.2,0.0,0.0,0.7,0.7,0.0,2.3,1.1,0.2,0.0,0.2,60.3,1.0,57.4,0.0,0.0,0.0,0.0,0.0,0.9,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 36.1,36.1,0.1,41.3,0.0,41.2,0.0,0.0,0.7,0.7,0.0,2.3,1.1,0.2,0.0,0.2,60.3,1.0,57.4,0.0,0.0,0.0,0.0,0.0,0.9]
                    [PKTLENS.....: 94,94,86,603,86,1134,86,1134,86,1134,590,86,86,179,185,460,373,241,86,344,86,86,152,86,86,86,1134,701,86,86,86,124]
  detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56582] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
           analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] 
@@ -134,7 +134,7 @@
                    [BINS(c->s)..: 11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1]
-                   [IATS(ms)....: 44.6,44.7,0.3,51.0,1.8,0.0,52.5,0.0,0.0,0.0,2.4,0.7,0.1,0.1,49.0,0.0,45.8,0.1,0.2,1.2,0.0,0.0,1.4,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 44.6,44.7,0.3,51.0,1.8,0.0,52.5,0.0,0.0,0.0,2.4,0.7,0.1,0.1,49.0,0.0,45.8,0.1,0.2,1.2,0.0,0.0,1.4,0.0,0.0,0.1,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,616,86,86,86,86,179,185,403,167,86,344,86,86,86,152,86,1134,1132,86,86,86,1134,86,1134]
  detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
               new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] 
@@ -148,7 +148,7 @@
                    [BINS(c->s)..: 12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 25.8,25.9,0.4,66.4,26.1,92.0,0.8,0.8,0.0,0.0,1.6,0.1,0.3,42.1,0.0,0.0,6.2,0.0,0.0,46.4,0.0,0.0,0.0,0.0,0.0,0.9,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 25.8,25.9,0.4,66.4,26.1,92.0,0.8,0.8,0.0,0.0,1.6,0.1,0.3,42.1,0.0,0.0,6.2,0.0,0.0,46.4,0.0,0.0,0.0,0.0,0.0,0.9]
                    [PKTLENS.....: 94,94,86,603,86,1134,86,1134,1134,637,86,86,86,179,185,417,86,86,86,360,152,1134,1134,1134,1134,86,86,86,86,86,86,124]
  detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
               new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] 
@@ -167,7 +167,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1]
-                   [IATS(ms)....: 31.5,31.5,0.2,36.8,7.0,43.6,0.0,0.6,0.6,2.4,0.2,0.1,37.7,0.7,1.1,36.8,0.1,0.1,0.0,0.5,8.6,9.1,0.1,0.1,0.2,0.2,0.0,0.1,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 31.5,31.5,0.2,36.8,7.0,43.6,0.0,0.6,0.6,2.4,0.2,0.1,37.7,0.7,1.1,36.8,0.1,0.1,0.0,0.5,8.6,9.1,0.1,0.1,0.2,0.2,0.0,0.1]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,547,86,150,178,347,86,86,666,86,117,86,117,86,792,86,1294,86,1294,1294,86,86,1294,1294]
           analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -176,7 +176,7 @@
                    [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 38.5,38.6,0.4,37.3,14.2,0.0,0.0,51.0,0.0,0.0,0.0,0.0,2.4,0.1,0.1,31.3,0.0,1.6,0.0,30.2,0.1,3.4,0.0,3.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 38.5,38.6,0.4,37.3,14.2,0.0,0.0,51.0,0.0,0.0,0.0,0.0,2.4,0.1,0.1,31.3,0.0,1.6,0.0,30.2,0.1,3.4,0.0,3.2,0.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1474,1474,1474,1474,401,86,86,86,86,86,150,178,344,86,86,86,157,86,117,1474,1474,1474,1474,86,86,86,86]
  detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Web][Acceptable]
           analyse: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Web][Safe]
@@ -186,7 +186,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0]
-                   [IATS(ms)....: 27.4,27.4,0.3,37.3,35.3,0.0,72.3,0.0,0.0,2.5,0.1,0.1,31.2,2.1,15.1,0.0,45.6,0.0,0.0,0.2,29.8,10.3,39.8,0.7,0.0,0.7,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 27.4,27.4,0.3,37.3,35.3,0.0,72.3,0.0,0.0,2.5,0.1,0.1,31.2,2.1,15.1,0.0,45.6,0.0,0.0,0.2,29.8,10.3,39.8,0.7,0.0,0.7]
                    [PKTLENS.....: 94,94,86,603,86,1474,1474,324,86,86,86,166,178,364,86,86,86,357,357,156,86,86,86,117,86,1474,86,1459,1474,1459,1474,86]
               new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] 
          detected: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] [TLS.Google][Advertisement][Acceptable]
@@ -202,7 +202,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1]
-                   [IATS(ms)....: 27.2,27.2,0.3,32.1,7.5,39.3,0.5,0.5,0.0,1.9,0.1,0.1,39.4,0.3,11.8,49.5,0.0,0.2,1.9,0.0,1.7,0.0,0.0,0.1,0.1,1.6,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 27.2,27.2,0.3,32.1,7.5,39.3,0.5,0.5,0.0,1.9,0.1,0.1,39.4,0.3,11.8,49.5,0.0,0.2,1.9,0.0,1.7,0.0,0.0,0.1,0.1,1.6]
                    [PKTLENS.....: 94,94,86,603,86,1474,86,1474,188,86,86,150,178,360,86,86,86,666,117,86,86,117,522,1474,1474,86,86,86,1474,86,1474,1474]
           analyse: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -211,7 +211,7 @@
                    [BINS(c->s)..: 12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 30.4,30.4,0.3,47.5,14.0,61.1,0.1,0.0,0.0,0.0,0.0,3.3,0.1,0.1,30.6,2.1,0.1,29.2,1.3,1.3,0.2,0.4,0.0,0.0,0.0,0.2,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 30.4,30.4,0.3,47.5,14.0,61.1,0.1,0.0,0.0,0.0,0.0,3.3,0.1,0.1,30.6,2.1,0.1,29.2,1.3,1.3,0.2,0.4,0.0,0.0,0.0,0.2,0.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1134,86,1134,1134,718,86,86,86,179,185,351,86,86,86,344,86,152,86,124,1134,1134,1134,1134,86,86,86,86]
  detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun]
               new: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] 
@@ -225,7 +225,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 34.3,34.3,1.7,38.1,7.5,0.0,43.9,0.0,0.0,3.0,0.2,0.3,37.3,0.0,0.4,0.0,34.1,0.0,0.2,2.3,6.9,9.1,0.8,0.0,0.9,0.0,0.1,0.0,0.7,0.0,0.0,0.0]
+                   [IATS(ms)....: 34.3,34.3,1.7,38.1,7.5,0.0,43.9,0.0,0.0,3.0,0.2,0.3,37.3,0.0,0.4,0.0,34.1,0.0,0.2,2.3,6.9,9.1,0.8,0.0,0.9,0.0,0.1,0.0,0.7]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,564,86,86,86,150,178,349,86,86,666,117,86,86,117,86,559,86,1294,1294,86,86,1294,86,1294,1294]
          detected: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] [TLS][Web][Safe]
               new: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] 
@@ -253,7 +253,7 @@
                    [BINS(c->s)..: 10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1]
-                   [IATS(ms)....: 41.3,41.4,0.2,45.6,16.1,0.0,61.5,0.0,0.0,3.9,0.4,0.1,94.0,180.2,10.5,0.0,92.3,0.1,0.4,5.5,8.0,1.9,14.9,15.5,0.0,15.5,0.0,0.3,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 41.3,41.4,0.2,45.6,16.1,0.0,61.5,0.0,0.0,3.9,0.4,0.1,94.0,180.2,10.5,0.0,92.3,0.1,0.4,5.5,8.0,1.9,14.9,15.5,0.0,15.5,0.0,0.3,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1474,1474,674,86,86,86,212,185,344,344,86,360,155,86,86,124,86,86,124,86,1474,1474,86,86,1474,1474,1474]
  detection-update: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] [TLS][Web][Safe]
           analyse: [....31] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54862] -> [...............2a00:1450:4007:806::200e][..443] [TLS.YouTube][Media][Fun]
@@ -263,7 +263,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1]
-                   [IATS(ms)....: 34.8,34.8,0.2,53.0,4.9,57.8,0.5,0.4,0.0,0.0,3.6,2.0,0.4,91.7,168.8,1.8,72.8,0.2,1.0,2.0,2.7,14.6,61.7,0.0,76.3,0.0,0.7,0.7,0.1,0.0,0.0,0.0]
+                   [IATS(ms)....: 34.8,34.8,0.2,53.0,4.9,57.8,0.5,0.4,0.0,0.0,3.6,2.0,0.4,91.7,168.8,1.8,72.8,0.2,1.0,2.0,2.7,14.6,61.7,0.0,76.3,0.0,0.7,0.7,0.1]
                    [PKTLENS.....: 94,94,86,603,86,1294,86,1294,1294,286,86,86,86,150,178,491,491,86,666,86,117,86,117,86,86,827,1294,86,86,1294,86,1294]
               new: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] 
               new: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] 
@@ -281,7 +281,7 @@
                    [BINS(c->s)..: 11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1]
-                   [IATS(ms)....: 41.1,41.1,0.2,31.9,11.0,42.7,0.5,0.0,0.5,0.0,2.8,1.3,0.1,34.2,10.2,0.0,40.2,0.5,1.5,0.0,0.9,16.6,0.0,0.0,16.5,0.0,0.0,4.4,0.3,12.7,24.5,0.0]
+                   [IATS(ms)....: 41.1,41.1,0.2,31.9,11.0,42.7,0.5,0.0,0.5,0.0,2.8,1.3,0.1,34.2,10.2,0.0,40.2,0.5,1.5,0.0,0.9,16.6,0.0,0.0,16.5,0.0,0.0,4.4,0.3,12.7,24.5]
                    [PKTLENS.....: 94,94,86,603,86,1474,86,1474,186,86,86,150,178,500,86,666,86,86,117,86,117,86,807,117,125,86,86,86,125,121,296,86]
           analyse: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -290,7 +290,7 @@
                    [BINS(c->s)..: 9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1]
-                   [IATS(ms)....: 29.2,29.3,0.2,29.5,187.3,216.6,0.3,0.3,0.0,1.8,0.2,0.0,70.3,211.9,6.5,0.0,182.9,58.3,20.2,41.8,0.1,0.0,0.9,11.7,10.9,9.9,6.2,112.5,128.6,76.1,0.0,0.0]
+                   [IATS(ms)....: 29.2,29.3,0.2,29.5,187.3,216.6,0.3,0.3,0.0,1.8,0.2,0.0,70.3,211.9,6.5,0.0,182.9,58.3,20.2,41.8,0.1,0.0,0.9,11.7,10.9,9.9,6.2,112.5,128.6,76.1]
                    [PKTLENS.....: 94,94,86,603,86,1474,86,1474,749,86,86,212,185,376,376,86,86,86,186,86,328,86,130,86,124,124,86,86,86,545,86,352]
  detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun]
               new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] 
@@ -307,7 +307,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 43.0,43.1,0.3,41.3,10.2,51.1,0.4,38.4,3.5,41.5,0.5,0.0,0.5,0.0,0.1,0.1,2.3,0.2,0.1,38.5,0.0,36.0,0.0,0.0,0.1,5.2,2.2,17.6,0.2,0.0,0.0,0.0]
+                   [IATS(ms)....: 43.0,43.1,0.3,41.3,10.2,51.1,0.4,38.4,3.5,41.5,0.5,0.0,0.5,0.0,0.1,0.1,2.3,0.2,0.1,38.5,0.0,36.0,0.0,0.0,0.1,5.2,2.2,17.6,0.2]
                    [PKTLENS.....: 94,94,86,603,86,185,86,609,86,1294,86,1294,1294,86,86,423,86,160,178,473,86,341,341,182,86,86,86,117,86,86,117,1294]
  detection-update: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Advertisement][Acceptable]
               new: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] 
@@ -325,7 +325,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1]
-                   [IATS(ms)....: 37.4,37.4,0.2,47.4,15.0,62.3,0.0,0.4,0.3,2.5,0.2,0.3,39.9,0.1,2.3,39.3,0.2,2.9,2.6,0.8,0.8,0.3,0.0,0.0,0.3,0.0,0.0,0.1,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 37.4,37.4,0.2,47.4,15.0,62.3,0.0,0.4,0.3,2.5,0.2,0.3,39.9,0.1,2.3,39.3,0.2,2.9,2.6,0.8,0.8,0.3,0.0,0.0,0.3,0.0,0.0,0.1,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,303,86,150,178,372,86,86,86,666,86,117,511,86,1294,86,1294,1294,1294,86,86,86,1294,306]
          detected: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun]
  detection-update: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun]
@@ -339,7 +339,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1]
-                   [IATS(ms)....: 63.7,63.8,0.2,68.5,0.7,0.0,0.0,0.0,69.0,0.0,0.0,0.0,0.0,0.0,8.3,2.6,2.5,40.2,1.0,27.8,0.2,1.6,0.0,1.4,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 63.7,63.8,0.2,68.5,0.7,0.0,0.0,0.0,69.0,0.0,0.0,0.0,0.0,0.0,8.3,2.6,2.5,40.2,1.0,27.8,0.2,1.6,0.0,1.4,0.0,0.1,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,1294,86,86,86,86,483,86,150,178,421,86,666,86,86,86,117,117,517,86,86,1294,1294,342,125]
           analyse: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -348,7 +348,7 @@
                    [BINS(c->s)..: 11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1]
-                   [IATS(ms)....: 45.3,45.4,0.4,65.7,8.2,73.5,0.0,0.0,0.0,12.6,0.9,0.2,0.2,41.2,1.6,28.9,0.1,3.3,0.0,3.7,0.0,0.0,7.0,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 45.3,45.4,0.4,65.7,8.2,73.5,0.0,0.0,0.0,12.6,0.9,0.2,0.2,41.2,1.6,28.9,0.1,3.3,0.0,3.7,0.0,0.0,7.0,0.0,0.0,0.0,0.1,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,86,1294,355,86,86,150,178,387,167,86,666,86,117,86,86,86,480,1294,1294,1294,86,86,86,86,1294,1294]
           analyse: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -357,7 +357,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0]
-                   [IATS(ms)....: 63.3,63.4,1.1,67.8,0.8,0.0,0.0,67.4,0.0,0.0,11.7,1.8,0.2,41.6,0.4,28.5,0.5,4.2,1.9,5.5,17.9,17.9,0.1,0.1,0.2,0.0,0.2,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 63.3,63.4,1.1,67.8,0.8,0.0,0.0,67.4,0.0,0.0,11.7,1.8,0.2,41.6,0.4,28.5,0.5,4.2,1.9,5.5,17.9,17.9,0.1,0.1,0.2,0.0,0.2,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,765,86,86,86,150,178,389,86,666,86,117,86,86,117,86,470,86,1294,86,1294,1294,1294,1294,86,86]
               new: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] 
          detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
@@ -370,7 +370,7 @@
                    [BINS(c->s)..: 9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 25.7,25.8,0.2,144.2,0.0,144.0,0.0,0.1,0.0,0.0,0.0,2.5,0.6,1.3,49.7,0.0,0.0,45.4,0.0,0.1,0.0,0.1,0.7,0.4,0.9,38.4,2.5,1.1,2.2,0.0,0.0,0.0]
+                   [IATS(ms)....: 25.7,25.8,0.2,144.2,0.0,144.0,0.0,0.1,0.0,0.0,0.0,2.5,0.6,1.3,49.7,0.0,0.0,45.4,0.0,0.1,0.0,0.1,0.7,0.4,0.9,38.4,2.5,1.1,2.2]
                    [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,601,86,86,179,185,485,86,86,344,152,86,86,86,453,86,124,580,156,86,86,86,128]
  detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun]
               new: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] 
@@ -393,7 +393,7 @@
                    [BINS(c->s)..: 12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1]
-                   [IATS(ms)....: 18.5,18.6,0.4,37.2,9.0,0.0,0.0,0.0,45.9,0.0,0.0,0.0,8.7,0.4,0.3,33.6,0.0,0.1,1.2,0.0,25.4,0.0,0.5,7.3,0.0,0.0,6.8,0.0,0.0,3.7,20.5,0.0]
+                   [IATS(ms)....: 18.5,18.6,0.4,37.2,9.0,0.0,0.0,0.0,45.9,0.0,0.0,0.0,8.7,0.4,0.3,33.6,0.0,0.1,1.2,0.0,25.4,0.0,0.5,7.3,0.0,0.0,6.8,0.0,0.0,3.7,20.5]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,287,86,86,86,86,150,178,363,86,86,86,666,117,86,86,117,789,530,125,86,86,86,125,86]
           analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Advertisement][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -402,7 +402,7 @@
                    [BINS(c->s)..: 13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0]
-                   [IATS(ms)....: 28.1,28.1,0.7,33.2,1.6,34.2,0.1,0.0,0.6,0.6,4.6,0.2,0.2,27.0,3.5,25.5,0.2,4.3,1.4,5.5,0.1,6.3,0.0,6.4,0.0,0.0,0.2,0.0,0.2,0.0,0.0,0.0]
+                   [IATS(ms)....: 28.1,28.1,0.7,33.2,1.6,34.2,0.1,0.0,0.6,0.6,4.6,0.2,0.2,27.0,3.5,25.5,0.2,4.3,1.4,5.5,0.1,6.3,0.0,6.4,0.0,0.0,0.2,0.0,0.2,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,86,1294,86,548,86,150,178,436,86,666,86,117,86,117,86,86,496,1294,1294,86,86,86,718,125,86,86]
               new: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] 
               new: [....50] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46808] -> [...............2a00:1450:4007:808::2001][..443] 
@@ -442,7 +442,7 @@
                    [BINS(c->s)..: 10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0]
-                   [IATS(ms)....: 25.6,25.6,1.1,31.5,7.2,0.0,37.6,0.0,0.1,0.0,0.0,0.0,0.1,0.0,7.1,13.6,0.6,0.2,42.2,0.0,20.7,0.3,10.1,0.0,0.3,0.0,0.0,0.0,10.1,0.1,0.0,0.0]
+                   [IATS(ms)....: 25.6,25.6,1.1,31.5,7.2,0.0,37.6,0.0,0.1,0.0,0.0,0.0,0.1,0.0,7.1,13.6,0.6,0.2,42.2,0.0,20.7,0.3,10.1,0.0,0.3,0.0,0.0,0.0,10.1,0.1]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,1294,1294,1294,1294,234,86,86,150,178,356,403,86,666,86,117,86,86,86,1076,1294,1294,86,86]
           analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -451,7 +451,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1]
-                   [IATS(ms)....: 29.5,29.5,0.1,39.8,6.2,0.0,0.0,45.9,0.0,0.0,16.6,7.4,0.9,0.2,45.4,0.2,20.4,0.5,14.7,1.9,0.0,0.0,16.1,2.9,0.0,3.0,0.0,0.0,1.6,0.0,0.0,0.0]
+                   [IATS(ms)....: 29.5,29.5,0.1,39.8,6.2,0.0,0.0,45.9,0.0,0.0,16.6,7.4,0.9,0.2,45.4,0.2,20.4,0.5,14.7,1.9,0.0,0.0,16.1,2.9,0.0,3.0,0.0,0.0,1.6,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,325,86,86,86,150,178,405,389,86,666,86,117,86,117,86,86,86,565,412,221,86,86,86,1294,1294]
           analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -460,7 +460,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1]
-                   [IATS(ms)....: 28.7,28.7,0.2,37.9,6.1,43.8,0.1,0.0,0.6,0.6,16.4,9.8,0.9,43.8,3.9,20.7,0.6,14.9,1.7,16.0,10.5,0.0,0.0,0.0,10.5,0.0,0.0,0.0,0.2,0.0,0.0,0.0]
+                   [IATS(ms)....: 28.7,28.7,0.2,37.9,6.1,43.8,0.1,0.0,0.6,0.6,16.4,9.8,0.9,43.8,3.9,20.7,0.6,14.9,1.7,16.0,10.5,0.0,0.0,0.0,10.5,0.0,0.0,0.0,0.2,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,86,1294,86,586,86,150,178,369,86,666,86,117,86,117,86,86,545,911,286,371,86,86,86,86,125,86]
               new: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] 
          detected: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/rtsp.pcap.out b/test/results/flow-info/rtsp.pcap.out
index 97970b4a8..384061bc7 100644
--- a/test/results/flow-info/rtsp.pcap.out
+++ b/test/results/flow-info/rtsp.pcap.out
@@ -14,7 +14,7 @@
                    [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.0,0.0,0.1,0.2,0.1,0.0,0.0,0.2,0.0,0.0,0.1,13.1,0.0,0.0,0.1,13.5,0.0,0.0,0.0,20.6,0.0,0.0,0.0,21.1,0.0,0.0,0.1,0.5,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.1,0.2,0.1,0.0,0.0,0.2,0.0,0.0,0.1,13.1,0.0,0.0,0.1,13.5,0.0,0.0,0.0,20.6,0.0,0.0,0.0,21.1,0.0,0.0,0.1,0.5,0.0,0.0,0.0]
                    [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]
               new: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] 
          detected: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun]
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.0,0.0,0.1,0.3,0.0,0.0,0.0,0.6,0.0,0.0,0.1,9.3,0.0,0.0,0.1,10.1,0.0,0.0,0.0,20.5,0.0,0.0,0.0,21.2,0.0,0.0,0.4,0.9,0.1,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.1,0.3,0.0,0.0,0.0,0.6,0.0,0.0,0.1,9.3,0.0,0.0,0.1,10.1,0.0,0.0,0.0,20.5,0.0,0.0,0.0,21.2,0.0,0.0,0.4,0.9,0.1,0.0,0.0]
                    [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,62,56,62]
               new: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] 
          detected: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun]
@@ -38,7 +38,7 @@
                    [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.0,0.0,0.3,0.3,0.1,0.0,0.1,0.8,0.1,0.0,0.2,4.8,0.0,0.0,0.4,6.2,0.1,0.0,0.1,20.1,0.0,0.1,0.0,21.0,0.0,0.0,0.1,0.9,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.3,0.3,0.1,0.0,0.1,0.8,0.1,0.0,0.2,4.8,0.0,0.0,0.4,6.2,0.1,0.0,0.1,20.1,0.0,0.1,0.0,21.0,0.0,0.0,0.1,0.9,0.0,0.0,0.1]
                    [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181,198,198,198,198,62,56,62,62]
               new: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] 
          detected: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun]
@@ -50,7 +50,7 @@
                    [BINS(c->s)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 0.0,0.0,0.1,1.3,0.0,0.0,0.3,505.2,0.0,0.0,0.1,504.5,0.0,0.0,0.1,1.0,0.0,0.0,0.1,0.1,0.0,0.0,0.0,0.6,0.1,0.0,0.0,20.4,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.1,1.3,0.0,0.0,0.3,505.2,0.0,0.0,0.1,504.5,0.0,0.0,0.1,1.0,0.0,0.0,0.1,0.1,0.0,0.0,0.0,0.6,0.1,0.0,0.0,20.4,0.0,0.0,0.1]
                    [PKTLENS.....: 68,68,68,68,62,56,62,62,68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181]
               end: [.....1] [ip4][..tcp] [......10.1.1.10][52470] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun]
                    RISK: Known Proto on Non Std Port
@@ -64,7 +64,7 @@
                    [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.0,0.0,0.1,0.4,0.0,0.0,0.1,0.6,0.0,0.0,0.1,10.3,0.0,0.0,11.4,0.0,0.8,0.0,0.1,20.3,0.0,0.0,0.1,23.8,0.0,0.0,0.1,3.5,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.1,0.4,0.0,0.0,0.1,0.6,0.0,0.0,0.1,10.3,0.0,0.0,11.4,0.0,0.8,0.0,0.1,20.3,0.0,0.0,0.1,23.8,0.0,0.0,0.1,3.5,0.0,0.0,0.1]
                    [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,62,56,172,62,62,181,181,181,181,198,198,198,198,62,56,62,62]
               end: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun]
                    RISK: Known Proto on Non Std Port
@@ -78,7 +78,7 @@
                    [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 0.0,0.0,0.1,0.4,0.0,0.0,0.1,0.6,0.0,0.0,0.1,6.6,0.0,0.0,0.1,7.5,0.0,0.1,0.1,20.0,0.0,0.1,0.1,21.0,0.0,0.0,0.1,0.8,0.0,0.0,0.1,0.0]
+                   [IATS(ms)....: 0.0,0.0,0.1,0.4,0.0,0.0,0.1,0.6,0.0,0.0,0.1,6.6,0.0,0.0,0.1,7.5,0.0,0.1,0.1,20.0,0.0,0.1,0.1,21.0,0.0,0.0,0.1,0.8,0.0,0.0,0.1]
                    [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]
               end: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun]
                    RISK: Known Proto on Non Std Port
diff --git a/test/results/flow-info/rx.pcap.out b/test/results/flow-info/rx.pcap.out
index 1b56c5947..d92547a7d 100644
--- a/test/results/flow-info/rx.pcap.out
+++ b/test/results/flow-info/rx.pcap.out
@@ -18,7 +18,7 @@
                    [BINS(c->s)..: 1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1]
-                   [IATS(ms)....: 77.5,77.6,57.0,57.2,38.2,1.3,39.5,65.7,0.3,65.9,103.2,105.3,2.1,9.0,9.1,3.0,1.8,4.8,61.4,65.2,3.8,0.1,6.8,6.7,0.1,3.7,3.7,4.9,8.0,3.0,2.8,0.0]
+                   [IATS(ms)....: 77.5,77.6,57.0,57.2,38.2,1.3,39.5,65.7,0.3,65.9,103.2,105.3,2.1,9.0,9.1,3.0,1.8,4.8,61.4,65.2,3.8,0.1,6.8,6.7,0.1,3.7,3.7,4.9,8.0,3.0,2.8]
                    [PKTLENS.....: 74,108,107,74,510,107,118,70,107,78,107,94,86,435,74,510,107,198,107,174,782,107,94,198,107,110,214,107,94,86,435,74]
              idle: [.....1] [ip4][..udp] [131.114.219.168][41559] -> [192.167.206.124][.7002] [RX][RPC][Acceptable]
              idle: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] [RX][RPC][Acceptable]
diff --git a/test/results/flow-info/s7comm.pcap.out b/test/results/flow-info/s7comm.pcap.out
index 00a1e3e13..588cbf3f8 100644
--- a/test/results/flow-info/s7comm.pcap.out
+++ b/test/results/flow-info/s7comm.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]
-                   [IATS(ms)....: 3.7,3.9,3.1,3.1,0.1,7.0,6.9,4.6,9.0,4.4,0.6,7.0,6.4,0.3,6.0,5.7,0.3,9.0,8.7,0.2,9.0,8.8,0.2,9.0,8.8,0.2,9.0,8.8,0.2,5.0,4.7,0.0]
+                   [IATS(ms)....: 3.7,3.9,3.1,3.1,0.1,7.0,6.9,4.6,9.0,4.4,0.6,7.0,6.4,0.3,6.0,5.7,0.3,9.0,8.7,0.2,9.0,8.8,0.2,9.0,8.8,0.2,9.0,8.8,0.2,5.0,4.7]
                    [PKTLENS.....: 76,76,79,81,61,87,135,61,87,135,61,87,275,61,87,135,61,83,115,61,83,115,61,83,115,61,83,115,61,85,91,61]
              idle: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/safari.pcap.out b/test/results/flow-info/safari.pcap.out
index dcd5ceff5..76335848d 100644
--- a/test/results/flow-info/safari.pcap.out
+++ b/test/results/flow-info/safari.pcap.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0]
-                   [IATS(ms)....: 28.3,28.4,0.6,28.7,7.0,0.1,0.0,35.1,0.0,52.7,82.0,0.0,29.3,0.9,28.1,550.6,1.2,579.0,0.2,0.3,0.1,0.1,0.1,0.1,0.1,0.1,428.1,455.0,4.4,1.2,32.6,0.0]
+                   [IATS(ms)....: 28.3,28.4,0.6,28.7,7.0,0.1,0.0,35.1,0.0,52.7,82.0,0.0,29.3,0.9,28.1,550.6,1.2,579.0,0.2,0.3,0.1,0.1,0.1,0.1,0.1,0.1,428.1,455.0,4.4,1.2,32.6]
                    [PKTLENS.....: 78,74,66,301,66,1506,1506,641,66,66,159,66,117,66,425,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,445,66,1506,1506,66]
  detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] [TLS][Web][Safe]
          detected: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Web][Safe]
@@ -47,7 +47,7 @@
                    [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 29.6,29.7,2.4,30.5,0.0,28.2,51.9,8.9,77.9,8.5,0.6,1.2,27.4,0.1,0.1,0.2,0.1,0.1,0.3,0.1,0.1,0.2,0.5,0.1,0.6,24.0,24.0,84.5,7.8,118.9,0.9,0.0]
+                   [IATS(ms)....: 29.6,29.7,2.4,30.5,0.0,28.2,51.9,8.9,77.9,8.5,0.6,1.2,27.4,0.1,0.1,0.2,0.1,0.1,0.3,0.1,0.1,0.2,0.5,0.1,0.6,24.0,24.0,84.5,7.8,118.9,0.9]
                    [PKTLENS.....: 78,74,66,277,66,207,66,117,508,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1043,66,66,497,66,1506]
           analyse: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Web][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -56,7 +56,7 @@
                    [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 30.4,30.4,2.4,30.7,1.7,30.1,50.3,8.6,78.3,9.2,5.0,0.1,33.7,0.1,0.7,0.9,0.1,0.1,0.0,0.3,0.0,104.0,6.6,140.4,1.5,0.5,31.8,0.1,0.1,0.2,0.4,0.0]
+                   [IATS(ms)....: 30.4,30.4,2.4,30.7,1.7,30.1,50.3,8.6,78.3,9.2,5.0,0.1,33.7,0.1,0.7,0.9,0.1,0.1,0.0,0.3,0.0,104.0,6.6,140.4,1.5,0.5,31.8,0.1,0.1,0.2,0.4]
                    [PKTLENS.....: 78,74,66,277,66,207,66,117,472,66,66,1506,1506,66,1506,1506,66,1506,1506,565,66,66,66,500,66,1506,1506,66,1506,1506,66,1506]
           analyse: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Web][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -65,7 +65,7 @@
                    [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 31.3,31.4,1.4,32.4,1.0,32.0,49.5,8.2,77.5,8.4,0.6,1.2,30.1,0.1,0.0,0.1,0.1,0.1,106.8,7.1,144.0,5.8,0.1,35.9,0.1,0.1,0.2,0.1,0.1,0.2,0.1,0.0]
+                   [IATS(ms)....: 31.3,31.4,1.4,32.4,1.0,32.0,49.5,8.2,77.5,8.4,0.6,1.2,30.1,0.1,0.0,0.1,0.1,0.1,106.8,7.1,144.0,5.8,0.1,35.9,0.1,0.1,0.2,0.1,0.1,0.2,0.1]
                    [PKTLENS.....: 78,74,66,277,66,207,66,117,503,66,66,1506,1506,66,1506,1506,66,791,66,66,497,66,1506,1506,66,1506,1506,66,1506,1506,66,1506]
           analyse: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Web][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -74,7 +74,7 @@
                    [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 33.6,33.6,1.2,33.6,0.0,32.4,46.9,8.3,78.2,6.3,1.0,0.3,30.4,0.9,0.0,0.9,105.4,6.5,147.0,2.1,0.1,37.3,0.1,0.1,0.2,0.1,0.6,0.8,0.1,0.1,0.2,0.0]
+                   [IATS(ms)....: 33.6,33.6,1.2,33.6,0.0,32.4,46.9,8.3,78.2,6.3,1.0,0.3,30.4,0.9,0.0,0.9,105.4,6.5,147.0,2.1,0.1,37.3,0.1,0.1,0.2,0.1,0.6,0.8,0.1,0.1,0.2]
                    [PKTLENS.....: 78,74,66,277,66,207,66,117,495,66,66,1506,1506,66,1506,181,66,66,500,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]
           analyse: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Web][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -83,7 +83,7 @@
                    [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0]
-                   [IATS(ms)....: 30.4,30.5,1.4,31.3,0.1,30.0,50.7,8.3,78.2,9.2,0.2,28.7,116.2,146.0,0.5,0.1,30.4,0.1,0.4,0.5,0.1,0.1,0.0,0.2,0.0,0.9,5.5,36.2,1.5,0.1,31.5,0.0]
+                   [IATS(ms)....: 30.4,30.5,1.4,31.3,0.1,30.0,50.7,8.3,78.2,9.2,0.2,28.7,116.2,146.0,0.5,0.1,30.4,0.1,0.4,0.5,0.1,0.1,0.0,0.2,0.0,0.9,5.5,36.2,1.5,0.1,31.5]
                    [PKTLENS.....: 78,74,66,277,66,207,66,117,494,66,66,1413,66,497,66,1506,1506,66,1506,1506,66,1506,1506,425,66,66,66,503,66,1506,1506,66]
               new: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] 
          detected: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/signal.pcap.out b/test/results/flow-info/signal.pcap.out
index 9aa8bb31f..e03441b8d 100644
--- a/test/results/flow-info/signal.pcap.out
+++ b/test/results/flow-info/signal.pcap.out
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1]
-                   [IATS(ms)....: 44.2,46.0,0.1,45.6,0.8,0.2,0.3,0.2,47.8,0.0,0.1,46.0,44.7,7.8,1.7,0.1,0.4,0.1,52.3,0.0,1.1,0.0,42.6,0.1,0.7,0.5,0.1,0.9,0.1,0.4,0.0,0.0]
+                   [IATS(ms)....: 44.2,46.0,0.1,45.6,0.8,0.2,0.3,0.2,47.8,0.0,0.1,46.0,44.7,7.8,1.7,0.1,0.4,0.1,52.3,0.0,1.1,0.0,42.6,0.1,0.7,0.5,0.1,0.9,0.1,0.4,0.0]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,1506,66,66,66,673,66,146,112,109,101,207,337,337,66,136,66,66,66,66,97,1112,1112,1506,427]
  detection-update: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -65,7 +65,7 @@
                    [BINS(c->s)..: 9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1]
-                   [IATS(ms)....: 34.9,37.7,0.1,37.4,0.8,0.2,0.3,0.2,37.0,0.2,34.8,100.7,83.3,17.6,1.1,2.5,0.1,0.4,0.1,36.0,0.0,31.6,0.5,2.4,0.0,0.5,2.2,1.1,0.2,0.2,0.0,0.0]
+                   [IATS(ms)....: 34.9,37.7,0.1,37.4,0.8,0.2,0.3,0.2,37.0,0.2,34.8,100.7,83.3,17.6,1.1,2.5,0.1,0.4,0.1,36.0,0.0,31.6,0.5,2.4,0.0,0.5,2.2,1.1,0.2,0.2,0.0]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,1506,66,66,673,66,673,78,146,112,109,101,207,337,337,66,66,66,136,66,66,1112,1112,1506,427]
  detection-update: [....10] [ip4][..tcp] [...192.168.2.17][49227] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -88,7 +88,7 @@
                    [BINS(c->s)..: 4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]
                    [BINS(s->c)..: 7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 108.9,110.6,0.1,110.4,2.1,0.0,112.4,5.0,114.9,0.0,109.6,1.9,0.0,0.0,0.1,0.8,0.1,0.2,0.1,111.4,0.2,108.4,1.8,0.6,1.7,0.2,0.2,0.3,0.1,109.4,1.5,0.0]
+                   [IATS(ms)....: 108.9,110.6,0.1,110.4,2.1,0.0,112.4,5.0,114.9,0.0,109.6,1.9,0.0,0.0,0.1,0.8,0.1,0.2,0.1,111.4,0.2,108.4,1.8,0.6,1.7,0.2,0.2,0.3,0.1,109.4,1.5]
                    [PKTLENS.....: 78,74,66,583,66,1506,1104,66,192,117,135,66,119,116,108,312,1506,1506,1506,378,66,104,848,66,66,1506,1506,1506,1506,151,66,66]
               new: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [MIDSTREAM] 
          detected: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [TLS][Web][Safe]
@@ -103,7 +103,7 @@
                    [BINS(c->s)..: 5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]
                    [BINS(s->c)..: 7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1]
-                   [IATS(ms)....: 32.9,39.8,0.1,40.0,2.7,0.0,39.4,7.8,43.4,0.4,0.0,34.7,0.1,7.5,0.5,0.0,0.1,0.4,5.9,0.1,0.4,42.2,0.0,0.5,26.8,7.6,10.7,0.1,0.3,0.3,26.1,0.0]
+                   [IATS(ms)....: 32.9,39.8,0.1,40.0,2.7,0.0,39.4,7.8,43.4,0.4,0.0,34.7,0.1,7.5,0.5,0.0,0.1,0.4,5.9,0.1,0.4,42.2,0.0,0.5,26.8,7.6,10.7,0.1,0.3,0.3,26.1]
                    [PKTLENS.....: 78,74,66,583,66,1506,1009,66,192,66,117,135,66,66,119,116,108,257,104,1506,1506,1506,66,104,66,685,66,1506,1506,1506,1506,66]
  detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun]
              idle: [.....1] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable]
diff --git a/test/results/flow-info/simple-dnscrypt.pcap.out b/test/results/flow-info/simple-dnscrypt.pcap.out
index bfc7db580..4040b7b84 100644
--- a/test/results/flow-info/simple-dnscrypt.pcap.out
+++ b/test/results/flow-info/simple-dnscrypt.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1]
-                   [IATS(ms)....: 110.6,111.2,27.9,119.6,18.5,5.2,114.9,3.0,7.5,0.0,0.0,10.6,4.9,14.9,0.1,0.1,0.4,91.8,0.0,71.5,3.1,28.8,26.8,76.4,36.0,32.6,95.2,61.6,222.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 110.6,111.2,27.9,119.6,18.5,5.2,114.9,3.0,7.5,0.0,0.0,10.6,4.9,14.9,0.1,0.1,0.4,91.8,0.0,71.5,3.1,28.8,26.8,76.4,36.0,32.6,95.2,61.6,222.0,0.0]
                    [PKTLENS.....: 66,66,54,260,54,1364,1364,54,1364,1364,1364,360,54,180,107,110,96,272,312,123,54,92,54,92,54,54,54,415,54,119,1364,1324]
  detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe]
               new: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] 
@@ -34,7 +34,7 @@
                    [BINS(c->s)..: 7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0]
-                   [IATS(ms)....: 76.9,77.0,0.2,75.5,27.7,2.5,105.6,0.6,0.0,0.6,1.3,0.0,1.6,3.3,3.7,0.1,0.1,3.1,0.1,0.0,84.7,0.0,74.1,4.3,9.6,25.1,23.4,82.0,4.1,98.4,0.0,0.0]
+                   [IATS(ms)....: 76.9,77.0,0.2,75.5,27.7,2.5,105.6,0.6,0.0,0.6,1.3,0.0,1.6,3.3,3.7,0.1,0.1,3.1,0.1,0.0,84.7,0.0,74.1,4.3,9.6,25.1,23.4,82.0,4.1,98.4]
                    [PKTLENS.....: 66,66,54,264,54,1364,1364,54,1364,1364,54,1364,360,54,180,107,110,96,334,133,132,312,123,54,54,92,54,92,54,416,415,54]
  detection-update: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe]
              idle: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe]
diff --git a/test/results/flow-info/sip.pcap.out b/test/results/flow-info/sip.pcap.out
index 19f45a18b..772d7c99d 100644
--- a/test/results/flow-info/sip.pcap.out
+++ b/test/results/flow-info/sip.pcap.out
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0]
-                   [IATS(ms)....: 136.8,17415.6,17425.0,49.8,89928.6,89874.9,17280.7,17290.4,150200.0,150188.2,17325.2,17335.8,73916.0,73902.7,17325.0,17333.2,25.9,17725.0,29031.8,29092.7,34118.2,34119.1,29272.4,29031.8,29031.6,29031.5,17105.0,497.7,1001.8,279041.8,227.1,0.0]
+                   [IATS(ms)....: 136.8,17415.6,17425.0,49.8,89928.6,89874.9,17280.7,17290.4,150200.0,150188.2,17325.2,17335.8,73916.0,73902.7,17325.0,17333.2,25.9,17725.0,29031.8,29092.7,34118.2,34119.1,29272.4,29031.8,29031.6,29031.5,17105.0,497.7,1001.8,279041.8,227.1]
                    [PKTLENS.....: 509,528,722,348,388,509,528,722,533,509,528,722,533,509,528,722,348,512,47,47,47,47,47,47,47,47,47,867,867,867,635,382]
            update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable]
            update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable]
diff --git a/test/results/flow-info/sites.pcapng.out b/test/results/flow-info/sites.pcapng.out
index b81ffda19..00720c07a 100644
--- a/test/results/flow-info/sites.pcapng.out
+++ b/test/results/flow-info/sites.pcapng.out
@@ -29,7 +29,7 @@
                    [BINS(c->s)..: 10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 46.8,50.1,2.2,52.9,0.2,52.2,1.5,0.6,2.4,52.4,0.8,3.1,0.2,0.2,47.9,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 46.8,50.1,2.2,52.9,0.2,52.2,1.5,0.6,2.4,52.4,0.8,3.1,0.2,0.2,47.9,0.2]
                    [PKTLENS.....: 74,74,66,583,66,1514,1514,1266,166,66,66,66,66,146,236,304,369,109,97,1514,1514,1514,1514,1514,1514,1514,1514,388,66,66,66,97]
  detection-update: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe]
               end: [.....3] [ip4][..tcp] [..192.168.1.227][50071] -> [...52.73.71.226][..443] 
@@ -44,7 +44,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0]
-                   [IATS(ms)....: 27.9,29.1,9.5,39.2,3.0,0.2,59.9,0.3,0.3,974.3,1031.1,29.6,0.5,2.0,0.5,0.7,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 27.9,29.1,9.5,39.2,3.0,0.2,59.9,0.3,0.3,974.3,1031.1,29.6,0.5,2.0,0.5,0.7]
                    [PKTLENS.....: 74,66,60,244,60,1514,1514,1514,1514,1514,1514,1396,60,60,60,60,60,60,60,244,1514,1514,1514,1514,60,60,1514,1514,60,60,60,60]
               end: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe]
      DAEMON-EVENT: [Processed: 230 pkts][ZLib][compressions: 0|diff: 0 / 0]
diff --git a/test/results/flow-info/skinny.pcap.out b/test/results/flow-info/skinny.pcap.out
index 01a13d34a..df08b2382 100644
--- a/test/results/flow-info/skinny.pcap.out
+++ b/test/results/flow-info/skinny.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0]
-                   [IATS(ms)....: 2.2,0.0,0.0,6.0,3.8,0.3,0.0,0.0,20.0,19.7,10.4,48.8,3559.6,0.0,0.1,3609.8,11.7,20.1,16.5,36.5,7.0,23.4,32.8,20.0,11.7,0.0,20.0,11.5,27.3,50.7,26.7,0.0]
+                   [IATS(ms)....: 2.2,0.0,0.0,6.0,3.8,0.3,0.0,0.0,20.0,19.7,10.4,48.8,3559.6,0.0,0.1,3609.8,11.7,20.1,16.5,36.5,7.0,23.4,32.8,20.0,11.7,0.0,20.0,11.5,27.3,50.7,26.7]
                    [PKTLENS.....: 78,82,70,78,60,378,82,90,82,60,214,74,60,78,194,90,60,266,60,102,60,198,60,198,60,198,186,60,106,106,60,106]
               new: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] 
          detected: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] [RTP][Media][Acceptable]
@@ -31,7 +31,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]
-                   [IATS(ms)....: 0.0,19.9,0.0,25.6,0.0,20.0,0.0,19.9,0.0,19.9,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,0.0]
+                   [IATS(ms)....: 0.0,19.9,0.0,25.6,0.0,20.0,0.0,19.9,0.0,19.9,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0]
                    [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]
           analyse: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] [RTP][Media][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -40,7 +40,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 20.0,20.0,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.1,20.0,20.0,20.0,20.1,19.9,20.0,20.0,20.0,19.9,20.0,20.1,20.0,20.0,20.0,0.0]
+                   [IATS(ms)....: 20.0,20.0,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.1,20.0,20.0,20.0,20.1,19.9,20.0,20.0,20.0,19.9,20.0,20.1,20.0,20.0,20.0]
                    [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]
           analyse: [.....5] [ip4][..udp] [.192.168.195.50][17726] -> [.192.168.193.24][.9399] [RTP][Media][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -49,7 +49,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 20.0,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,0.0]
+                   [IATS(ms)....: 20.0,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0]
                    [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]
           analyse: [.....6] [ip4][..udp] [.192.168.195.58][32152] -> [.192.168.193.24][.9396] [RTP][Media][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -58,7 +58,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 19.8,20.0,20.1,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.0,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.5,19.5,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,0.0]
+                   [IATS(ms)....: 19.8,20.0,20.1,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.0,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.5,19.5,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0]
                    [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]
           analyse: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] [RTP][Media][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -67,7 +67,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 20.0,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.1,20.0,20.0,20.0,20.1,19.9,20.0,19.9,20.0,19.9,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,0.0]
+                   [IATS(ms)....: 20.0,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.1,20.0,20.0,20.0,20.1,19.9,20.0,19.9,20.0,19.9,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0]
                    [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]
               new: [.....8] [ip4][..tcp] [.192.168.195.58][50917] -> [.....10.16.2.25][.2000] [MIDSTREAM] 
          detected: [.....8] [ip4][..tcp] [.192.168.195.58][50917] -> [.....10.16.2.25][.2000] [CiscoSkinny][VoIP][Acceptable]
@@ -78,7 +78,7 @@
                    [BINS(c->s)..: 10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1]
-                   [IATS(ms)....: 0.0,0.1,0.7,0.7,19.9,3583.0,19.3,3622.2,2.1,0.0,0.0,18.0,15.9,20.1,36.3,2.1,20.0,30.9,40.0,6.9,19.1,13.1,64.1,28.3,103.9,42.3,80.4,6999.6,0.0,5.8,7045.9,0.0]
+                   [IATS(ms)....: 0.0,0.1,0.7,0.7,19.9,3583.0,19.3,3622.2,2.1,0.0,0.0,18.0,15.9,20.1,36.3,2.1,20.0,30.9,40.0,6.9,19.1,13.1,64.1,28.3,103.9,42.3,80.4,6999.6,0.0,5.8,7045.9]
                    [PKTLENS.....: 90,82,86,60,266,60,74,74,60,82,70,78,60,546,60,198,198,60,198,60,102,186,60,106,106,60,106,60,82,82,78,60]
               new: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] 
          detected: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] [ICMP][Network][Acceptable]
diff --git a/test/results/flow-info/skype-conference-call.pcap.out b/test/results/flow-info/skype-conference-call.pcap.out
index 1fa3eb162..e435ba487 100644
--- a/test/results/flow-info/skype-conference-call.pcap.out
+++ b/test/results/flow-info/skype-conference-call.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 7.3,44.5,54.5,0.2,54.9,0.3,10.3,20.1,24.4,100.1,0.3,0.1,0.2,0.1,0.2,0.2,0.1,0.2,0.2,0.2,0.1,2.8,14.7,0.4,0.2,0.2,0.3,0.2,0.2,0.2,3.7,0.0]
+                   [IATS(ms)....: 7.3,44.5,54.5,0.2,54.9,0.3,10.3,20.1,24.4,100.1,0.3,0.1,0.2,0.1,0.2,0.2,0.1,0.2,0.2,0.2,0.1,2.8,14.7,0.4,0.2,0.2,0.3,0.2,0.2,0.2,3.7]
                    [PKTLENS.....: 146,146,114,114,146,114,150,152,145,137,209,77,169,169,169,169,169,169,169,169,169,169,114,85,957,957,957,957,957,957,169,135]
              idle: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable]
                    RISK: Known Proto on Non Std Port
diff --git a/test/results/flow-info/skype.pcap.out b/test/results/flow-info/skype.pcap.out
index ecb8662d2..b4057120d 100644
--- a/test/results/flow-info/skype.pcap.out
+++ b/test/results/flow-info/skype.pcap.out
@@ -51,7 +51,7 @@
                    [BINS(c->s)..: 10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0]
-                   [IATS(ms)....: 75.2,75.2,28.8,111.2,0.2,82.6,77.2,0.2,77.4,12.7,300.9,288.2,83.4,83.5,0.3,86.7,86.3,3.1,96.5,93.4,0.3,253.9,0.0,253.6,0.0,0.4,87.2,86.8,115.8,0.0,115.7,0.0]
+                   [IATS(ms)....: 75.2,75.2,28.8,111.2,0.2,82.6,77.2,0.2,77.4,12.7,300.9,288.2,83.4,83.5,0.3,86.7,86.3,3.1,96.5,93.4,0.3,253.9,0.0,253.6,0.0,0.4,87.2,86.8,115.8,0.0,115.7]
                    [PKTLENS.....: 78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,279,66,66,631,167,1383,1506,71,66]
               new: [....19] [ip4][..tcp] [...192.168.1.34][50030] -> [...65.55.223.33][..443] 
               new: [....20] [ip4][..udp] [...192.168.1.34][60288] -> [....192.168.1.1][...53] 
@@ -454,7 +454,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 15.9,16.7,17.0,17.1,15.8,17.0,16.6,16.4,16.8,19850.7,15.7,18.8,14.7,83.2,16.8,19850.7,16.1,16.6,16.9,16.9,16.2,17.0,16.5,16.5,16.9,19850.6,16.3,16.4,16.7,16.7,16.5,0.0]
+                   [IATS(ms)....: 15.9,16.7,17.0,17.1,15.8,17.0,16.6,16.4,16.8,19850.7,15.7,18.8,14.7,83.2,16.8,19850.7,16.1,16.6,16.9,16.9,16.2,17.0,16.5,16.5,16.9,19850.6,16.3,16.4,16.7,16.7,16.5]
                    [PKTLENS.....: 333,351,405,397,327,369,401,347,399,393,333,351,405,397,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]
            update: [....69] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.24][40001] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable]
            update: [....76] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.21][40004] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable]
@@ -527,7 +527,7 @@
                    [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 244.0,244.1,0.5,204.3,761.0,964.7,0.5,202.0,201.5,40.2,40.2,162.2,162.2,40.2,40.2,200.9,0.0,201.0,204.1,204.1,0.1,240.8,240.6,207.5,0.0,207.6,3.0,4.5,199.6,198.0,41.6,0.0]
+                   [IATS(ms)....: 244.0,244.1,0.5,204.3,761.0,964.7,0.5,202.0,201.5,40.2,40.2,162.2,162.2,40.2,40.2,200.9,0.0,201.0,204.1,204.1,0.1,240.8,240.6,207.5,0.0,207.6,3.0,4.5,199.6,198.0,41.6]
                    [PKTLENS.....: 78,74,66,138,66,123,66,74,74,66,66,102,134,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,619,549,66]
      not-detected: [...227] [ip4][..tcp] [...192.168.1.34][50108] -> [...157.56.52.28][40009] [Unknown][Unrated]
               new: [...233] [ip4][..tcp] [...192.168.1.34][50110] -> [.91.190.216.125][12350] 
@@ -565,7 +565,7 @@
                    [BINS(c->s)..: 14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0]
-                   [IATS(ms)....: 83.4,83.5,0.1,64.1,64.0,0.4,68.5,68.1,2.9,71.2,68.2,199.8,199.7,154.2,154.1,2.6,133.8,131.2,0.2,0.1,0.1,64.3,8.4,55.5,127.9,0.2,0.2,70.5,0.0,70.1,0.2,0.0]
+                   [IATS(ms)....: 83.4,83.5,0.1,64.1,64.0,0.4,68.5,68.1,2.9,71.2,68.2,199.8,199.7,154.2,154.1,2.6,133.8,131.2,0.2,0.1,0.1,64.3,8.4,55.5,127.9,0.2,0.2,70.5,0.0,70.1,0.2]
                    [PKTLENS.....: 78,74,66,126,113,66,83,80,66,820,80,66,66,70,1249,66,623,166,144,94,133,123,66,66,146,66,94,87,361,66,66,93]
      not-detected: [...250] [ip4][..tcp] [...192.168.1.34][50119] -> [....86.31.35.30][59621] [Unknown][Unrated]
               new: [...253] [ip4][..tcp] [...192.168.1.34][50123] -> [...80.14.46.121][.4415] 
@@ -592,7 +592,7 @@
                    [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 148.7,148.8,0.8,151.6,0.0,0.0,150.8,0.0,0.2,0.0,31.5,0.1,153.3,0.7,32.6,5.2,16.8,0.0,176.7,0.1,2.1,1.5,0.0,3.5,0.0,449.5,0.1,604.7,5.5,16.5,0.0,0.0]
+                   [IATS(ms)....: 148.7,148.8,0.8,151.6,0.0,0.0,150.8,0.0,0.2,0.0,31.5,0.1,153.3,0.7,32.6,5.2,16.8,0.0,176.7,0.1,2.1,1.5,0.0,3.5,0.0,449.5,0.1,604.7,5.5,16.5,0.0]
                    [PKTLENS.....: 78,60,54,287,60,146,91,54,54,60,91,680,620,60,60,60,60,387,90,54,54,1494,1221,80,54,54,673,632,60,60,387,90]
            update: [...108] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.26][40026] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable]
            update: [...111] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.47][40029] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable]
@@ -641,7 +641,7 @@
                    [BINS(c->s)..: 14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0]
-                   [IATS(ms)....: 60.8,60.9,0.1,60.1,60.0,0.4,72.4,72.0,2.9,63.2,60.3,262.3,262.3,157.4,157.5,3.6,187.8,184.1,1.9,62.9,110.0,171.0,0.2,63.7,63.5,1468.1,1782.0,746.1,1060.0,1410.3,1410.3,0.0]
+                   [IATS(ms)....: 60.8,60.9,0.1,60.1,60.0,0.4,72.4,72.0,2.9,63.2,60.3,262.3,262.3,157.4,157.5,3.6,187.8,184.1,1.9,62.9,110.0,171.0,0.2,63.7,63.5,1468.1,1782.0,746.1,1060.0,1410.3,1410.3]
                    [PKTLENS.....: 78,74,66,111,127,66,82,80,66,819,80,66,66,70,1190,66,623,111,102,86,66,109,66,95,94,66,103,66,104,66,105,66]
      not-detected: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] [Unknown][Unrated]
               new: [...264] [ip4][..udp] [...192.168.1.34][52714] -> [....192.168.1.1][...53] 
@@ -735,7 +735,7 @@
                    [BINS(c->s)..: 14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0]
-                   [IATS(ms)....: 228.1,228.2,0.1,219.6,219.5,0.4,214.5,214.2,209.7,209.7,0.1,381.8,2061.0,2011.7,148.2,480.5,212.1,212.2,3.6,275.2,271.5,0.2,220.2,0.0,220.1,0.1,216.1,216.0,136.2,25387.6,25523.8,0.0]
+                   [IATS(ms)....: 228.1,228.2,0.1,219.6,219.5,0.4,214.5,214.2,209.7,209.7,0.1,381.8,2061.0,2011.7,148.2,480.5,212.1,212.2,3.6,275.2,271.5,0.2,220.2,0.0,220.1,0.1,216.1,216.0,136.2,25387.6,25523.8]
                    [PKTLENS.....: 78,78,66,123,101,66,83,80,66,80,66,70,66,843,66,1090,66,156,66,623,108,134,93,66,112,66,95,122,66,66,81,66]
      not-detected: [...248] [ip4][..tcp] [...192.168.1.34][50117] -> [...71.238.7.203][18767] [Unknown][Unrated]
               new: [...274] [ip4][..udp] [...192.168.1.34][56886] -> [239.255.255.250][.1900] 
@@ -990,7 +990,7 @@
                    [BINS(c->s)..: 15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0]
-                   [IATS(ms)....: 214.7,214.8,0.1,223.5,223.4,0.4,217.5,217.2,213.6,213.7,0.1,315.3,2988.5,3022.2,145.3,494.2,215.9,215.9,3.6,275.6,272.1,0.2,291.4,291.1,0.2,75.0,137.0,211.9,164.3,30125.6,821.1,0.0]
+                   [IATS(ms)....: 214.7,214.8,0.1,223.5,223.4,0.4,217.5,217.2,213.6,213.7,0.1,315.3,2988.5,3022.2,145.3,494.2,215.9,215.9,3.6,275.6,272.1,0.2,291.4,291.1,0.2,75.0,137.0,211.9,164.3,30125.6,821.1]
                    [PKTLENS.....: 78,78,66,106,101,66,83,80,66,80,66,70,66,842,66,1090,66,156,66,622,101,146,95,111,66,95,66,114,66,66,66,66]
      not-detected: [...283] [ip4][..tcp] [...192.168.1.34][50138] -> [...71.238.7.203][18767] [Unknown][Unrated]
      not-detected: [...221] [ip4][..tcp] [...192.168.1.34][50098] -> [...65.55.223.15][40026] [Unknown][Unrated]
diff --git a/test/results/flow-info/skype_no_unknown.pcap.out b/test/results/flow-info/skype_no_unknown.pcap.out
index 8978e840f..02fbc6224 100644
--- a/test/results/flow-info/skype_no_unknown.pcap.out
+++ b/test/results/flow-info/skype_no_unknown.pcap.out
@@ -52,7 +52,7 @@
                    [BINS(c->s)..: 9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1]
-                   [IATS(ms)....: 75.6,75.7,27.5,108.8,0.2,81.5,75.6,0.8,76.4,15.4,302.2,286.8,74.7,74.7,0.5,91.1,90.5,1.7,83.6,81.9,0.3,247.1,246.9,0.3,0.2,0.3,92.3,92.0,289.8,38.7,0.0,0.0]
+                   [IATS(ms)....: 75.6,75.7,27.5,108.8,0.2,81.5,75.6,0.8,76.4,15.4,302.2,286.8,74.7,74.7,0.5,91.1,90.5,1.7,83.6,81.9,0.3,247.1,246.9,0.3,0.2,0.3,92.3,92.0,289.8,38.7,0.0]
                    [PKTLENS.....: 78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,66,279,66,631,167,1383,66,1506,71]
               new: [....20] [ip4][..udp] [...192.168.1.34][50055] -> [....192.168.1.1][...53] 
          detected: [....20] [ip4][..udp] [...192.168.1.34][50055] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable]
@@ -68,7 +68,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0]
-                   [IATS(ms)....: 0.1,141.8,4.6,11.8,0.0,158.2,1.4,0.0,1.4,933.1,0.1,1077.4,3.9,16.1,0.0,164.2,1.9,0.0,1.8,866.4,0.1,1010.6,5.0,11.8,160.8,0.2,0.1,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.1,141.8,4.6,11.8,0.0,158.2,1.4,0.0,1.4,933.1,0.1,1077.4,3.9,16.1,0.0,164.2,1.9,0.0,1.8,866.4,0.1,1010.6,5.0,11.8,160.8,0.2,0.1]
                    [PKTLENS.....: 680,622,60,60,387,90,54,54,656,80,54,54,673,630,60,60,387,90,54,54,661,80,54,54,677,556,60,60,387,54,90,54]
               new: [....24] [ip4][..udp] [...192.168.1.34][..137] -> [..192.168.1.255][..137] 
          detected: [....24] [ip4][..udp] [...192.168.1.34][..137] -> [..192.168.1.255][..137] [NetBIOS][System][Acceptable]
@@ -470,7 +470,7 @@
                    [BINS(c->s)..: 11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0]
-                   [IATS(ms)....: 1006.2,1296.9,290.8,0.6,292.8,2.2,294.3,0.5,293.3,292.8,39.6,39.6,253.3,253.3,40.1,40.1,350.4,0.0,350.4,293.9,293.9,0.1,334.3,334.2,300.0,0.0,300.0,2.1,4.2,292.4,290.3,0.0]
+                   [IATS(ms)....: 1006.2,1296.9,290.8,0.6,292.8,2.2,294.3,0.5,293.3,292.8,39.6,39.6,253.3,253.3,40.1,40.1,350.4,0.0,350.4,293.9,293.9,0.1,334.3,334.2,300.0,0.0,300.0,2.1,4.2,292.4,290.3]
                    [PKTLENS.....: 78,78,74,66,116,66,169,66,74,74,66,66,112,95,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,617,609]
      not-detected: [...210] [ip4][..tcp] [...192.168.1.34][51279] -> [..111.221.74.48][40008] [Unknown][Unrated]
               new: [...229] [ip4][..tcp] [...192.168.1.34][51286] -> [.91.190.218.125][..443] 
@@ -537,7 +537,7 @@
                    [BINS(c->s)..: 13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1]
-                   [IATS(ms)....: 69.8,69.9,0.1,64.1,63.9,0.4,65.4,65.0,2.0,66.7,64.9,268.0,267.9,126.5,126.5,3.7,173.4,169.7,0.2,68.9,95.7,164.4,0.2,67.0,66.9,198.4,1936.2,2004.1,795.9,1062.3,592.6,0.0]
+                   [IATS(ms)....: 69.8,69.9,0.1,64.1,63.9,0.4,65.4,65.0,2.0,66.7,64.9,268.0,267.9,126.5,126.5,3.7,173.4,169.7,0.2,68.9,95.7,164.4,0.2,67.0,66.9,198.4,1936.2,2004.1,795.9,1062.3,592.6]
                    [PKTLENS.....: 78,74,66,131,94,66,82,80,66,818,80,66,66,70,1190,66,622,109,110,92,66,109,66,93,87,66,66,104,66,105,66,111]
      not-detected: [...242] [ip4][..tcp] [...192.168.1.34][51294] -> [...81.83.77.141][17639] [Unknown][Unrated]
               new: [...253] [ip4][..tcp] [...192.168.1.34][51305] -> [...149.13.32.15][13392] 
@@ -625,7 +625,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 0.6,0.6,0.5,0.5,0.5,99.7,0.6,0.6,0.6,19856.6,16.2,17.0,16.6,16.5,16.7,19850.6,16.2,16.5,16.7,16.7,16.6,17.0,16.6,16.7,16.6,19850.6,16.0,16.7,16.8,16.7,16.6,0.0]
+                   [IATS(ms)....: 0.6,0.6,0.5,0.5,0.5,99.7,0.6,0.6,0.6,19856.6,16.2,17.0,16.6,16.5,16.7,19850.6,16.2,16.5,16.7,16.7,16.6,17.0,16.6,16.7,16.6,19850.6,16.0,16.7,16.8,16.7,16.6]
                    [PKTLENS.....: 333,351,405,397,327,369,401,347,399,393,327,369,401,347,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]
               new: [...267] [ip4][..tcp] [...192.168.1.34][51319] -> [...212.161.8.36][13392] 
              idle: [...233] [ip4][..udp] [...192.168.1.34][13021] -> [189.188.134.174][22436] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable]
diff --git a/test/results/flow-info/smb_deletefile.pcap.out b/test/results/flow-info/smb_deletefile.pcap.out
index c6cf15daf..ba7c7efd1 100644
--- a/test/results/flow-info/smb_deletefile.pcap.out
+++ b/test/results/flow-info/smb_deletefile.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 1.2,1.2,2157.3,2158.4,1.2,0.1,1.3,1.2,7.5,9.4,1.9,0.1,0.1,0.1,0.0,0.5,0.2,0.6,5.6,5.6,4.7,5.9,1.1,0.1,1.2,1.1,0.1,1.0,0.9,26.0,26.9,0.0]
+                   [IATS(ms)....: 1.2,1.2,2157.3,2158.4,1.2,0.1,1.3,1.2,7.5,9.4,1.9,0.1,0.1,0.1,0.0,0.5,0.2,0.6,5.6,5.6,4.7,5.9,1.1,0.1,1.2,1.1,0.1,1.0,0.9,26.0,26.9]
                    [PKTLENS.....: 434,554,54,378,522,54,394,538,54,466,180,54,554,54,158,154,60,158,54,130,54,394,538,54,434,410,54,298,370,54,402,466]
              idle: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/smtp-starttls.pcap.out b/test/results/flow-info/smtp-starttls.pcap.out
index 1d6d8bae3..545966bd0 100644
--- a/test/results/flow-info/smtp-starttls.pcap.out
+++ b/test/results/flow-info/smtp-starttls.pcap.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 11.2,11.2,11.9,11.8,0.1,11.2,39.2,67.1,28.2,11.5,12.2,0.3,12.3,0.0,24.8,37.9,13.5,11.9,11.6,11.6,11.8,51.4,103.7,157.0,13.6,11.5,11.1,16.4,67.3,42.9,94.1,0.0]
+                   [IATS(ms)....: 11.2,11.2,11.9,11.8,0.1,11.2,39.2,67.1,28.2,11.5,12.2,0.3,12.3,0.0,24.8,37.9,13.5,11.9,11.6,11.6,11.8,51.4,103.7,157.0,13.6,11.5,11.1,16.4,67.3,42.9,94.1]
                    [PKTLENS.....: 74,74,66,117,66,94,66,220,76,96,178,1484,1484,66,919,380,276,119,231,127,131,127,66,172,752,66,94,66,142,66,97,147]
      DAEMON-EVENT: [Processed: 36 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0]
@@ -34,7 +34,7 @@
                    [BINS(c->s)..: 7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 0.7,1.0,19.0,29.5,11.1,0.1,1.2,1.0,1.0,6.1,12.8,0.6,8.6,202.0,202.9,1.0,7.3,6.8,7.3,7.3,1.2,2.1,3.0,0.4,21.0,21.8,1.0,6.8,0.0,6.8,0.7,0.0]
+                   [IATS(ms)....: 0.7,1.0,19.0,29.5,11.1,0.1,1.2,1.0,1.0,6.1,12.8,0.6,8.6,202.0,202.9,1.0,7.3,6.8,7.3,7.3,1.2,2.1,3.0,0.4,21.0,21.8,1.0,6.8,0.0,6.8,0.7]
                    [PKTLENS.....: 90,90,78,136,128,78,230,88,108,260,1218,204,157,336,245,78,167,121,141,121,113,144,78,1112,78,143,113,122,109,78,109,78]
               end: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe]
                    RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS
diff --git a/test/results/flow-info/smtp.pcap.out b/test/results/flow-info/smtp.pcap.out
index 204d460b9..05b638bd4 100644
--- a/test/results/flow-info/smtp.pcap.out
+++ b/test/results/flow-info/smtp.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.3,1.1,19.7,31.1,24.6,55.1,2.2,21.4,1.1,1.2,1.1,1.2,1.2,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.0,1.0,1.1,1.1,1.1,1.1,0.0]
+                   [IATS(ms)....: 0.3,1.1,19.7,31.1,24.6,55.1,2.2,21.4,1.1,1.2,1.1,1.2,1.2,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.0,1.0,1.1,1.1,1.1,1.1]
                    [PKTLENS.....: 60,60,60,138,60,76,60,80,76,98,90,97,93,92,93,92,94,93,93,92,93,92,94,93,92,91,91,90,94,93,92,91]
               end: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/snapchat_call.pcapng.out b/test/results/flow-info/snapchat_call.pcapng.out
index a07ebf64b..ec0741abf 100644
--- a/test/results/flow-info/snapchat_call.pcapng.out
+++ b/test/results/flow-info/snapchat_call.pcapng.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0]
                    [BINS(s->c)..: 4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1]
-                   [IATS(ms)....: 16.8,0.1,30.4,0.1,24.2,5.1,0.0,0.0,20.3,29.1,5.5,0.1,0.0,0.2,2.1,54.4,0.0,0.0,507.6,1447.3,48.7,53.5,57.9,1172.7,3.3,7.5,379.7,803.5,440.1,1155.7,589.8,0.0]
+                   [IATS(ms)....: 16.8,0.1,30.4,0.1,24.2,5.1,0.0,0.0,20.3,29.1,5.5,0.1,0.0,0.2,2.1,54.4,0.0,0.0,507.6,1447.3,48.7,53.5,57.9,1172.7,3.3,7.5,379.7,803.5,440.1,1155.7,589.8]
                    [PKTLENS.....: 1392,1392,1392,1392,625,78,1392,62,428,70,86,80,80,80,201,100,62,62,62,86,351,303,351,303,86,70,70,86,70,86,86,86]
              idle: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable]
                    RISK: Missing SNI TLS Extn
diff --git a/test/results/flow-info/softether.pcap.out b/test/results/flow-info/softether.pcap.out
index 52efa3030..c7d46b532 100644
--- a/test/results/flow-info/softether.pcap.out
+++ b/test/results/flow-info/softether.pcap.out
@@ -78,7 +78,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1]
-                   [IATS(ms)....: 257.0,27676.0,27674.0,26195.0,26194.0,26159.0,26161.0,10299.0,10301.0,14858.0,14853.0,27814.0,27815.0,25788.0,1540291.2,1566080.2,18689.0,18689.0,5427.0,5426.0,27856.0,27856.0,26072.0,26072.0,26524.0,26524.0,24993.0,24993.0,25093.0,862645.0,887738.0,0.0]
+                   [IATS(ms)....: 257.0,27676.0,27674.0,26195.0,26194.0,26159.0,26161.0,10299.0,10301.0,14858.0,14853.0,27814.0,27815.0,25788.0,1540291.2,1566080.2,18689.0,18689.0,5427.0,5426.0,27856.0,27856.0,26072.0,26072.0,26524.0,26524.0,24993.0,24993.0,25093.0,862645.0,887738.0]
                    [PKTLENS.....: 43,70,43,70,43,70,43,70,522,370,43,70,43,70,43,43,70,522,370,43,70,43,70,43,70,43,70,43,70,43,43,70]
            update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable]
            update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable]
diff --git a/test/results/flow-info/ssh.pcap.out b/test/results/flow-info/ssh.pcap.out
index 21ec1e688..8764b9f0e 100644
--- a/test/results/flow-info/ssh.pcap.out
+++ b/test/results/flow-info/ssh.pcap.out
@@ -19,7 +19,7 @@
                    [BINS(c->s)..: 12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]
-                   [IATS(ms)....: 0.0,0.0,8.1,8.1,0.3,0.8,0.5,0.1,1.5,1.6,0.3,1.8,1.6,1.6,14.7,13.1,1.8,42.3,40.5,0.2,0.3,0.4,0.3,40.6,51.2,91.6,2632.3,2632.6,1868.8,1869.1,2907.1,0.0]
+                   [IATS(ms)....: 0.0,0.0,8.1,8.1,0.3,0.8,0.5,0.1,1.5,1.6,0.3,1.8,1.6,1.6,14.7,13.1,1.8,42.3,40.5,0.2,0.3,0.4,0.3,40.6,51.2,91.6,2632.3,2632.6,1868.8,1869.1,2907.1]
                    [PKTLENS.....: 78,74,66,87,66,87,66,970,66,850,66,90,218,66,210,786,66,82,66,114,66,114,66,130,66,146,66,210,66,146,66,210]
               end: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable]
                    RISK: SSH Obsolete Cli Vers/Cipher, SSH Obsolete Ser Vers/Cipher
diff --git a/test/results/flow-info/starcraft_battle.pcap.out b/test/results/flow-info/starcraft_battle.pcap.out
index 186b5e91a..5202c90d9 100644
--- a/test/results/flow-info/starcraft_battle.pcap.out
+++ b/test/results/flow-info/starcraft_battle.pcap.out
@@ -48,7 +48,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 58.1,58.1,0.1,58.2,14.3,72.4,0.1,0.1,0.2,0.2,0.1,0.2,0.2,0.2,0.2,0.2,0.1,0.1,0.2,0.2,56.8,56.9,0.2,0.2,0.2,0.2,0.2,0.1,0.1,0.1,0.2,0.0]
+                   [IATS(ms)....: 58.1,58.1,0.1,58.2,14.3,72.4,0.1,0.1,0.2,0.2,0.1,0.2,0.2,0.2,0.2,0.2,0.1,0.1,0.2,0.2,56.8,56.9,0.2,0.2,0.2,0.2,0.2,0.1,0.1,0.1,0.2]
                    [PKTLENS.....: 66,66,54,241,60,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514]
               new: [....16] [ip4][..tcp] [..192.168.1.100][.3512] -> [..12.129.222.54][...80] 
          detected: [....16] [ip4][..tcp] [..192.168.1.100][.3512] -> [..12.129.222.54][...80] [HTTP.WorldOfWarcraft][Game][Fun]
@@ -92,7 +92,7 @@
                    [BINS(c->s)..: 23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 52.5,52.6,94.6,145.7,24.3,95.1,95.9,166.3,70.9,49.6,160.3,31.2,128.6,15.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 52.5,52.6,94.6,145.7,24.3,95.1,95.9,166.3,70.9,49.6,160.3,31.2,128.6,15.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 66,60,54,156,60,797,54,234,317,54,249,60,122,56,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77]
               new: [....34] [ip4][..udp] [..192.168.1.100][53146] -> [...5.42.180.154][.1119] 
               new: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] 
@@ -135,7 +135,7 @@
                    [BINS(c->s)..: 11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 32.5,32.5,1.6,34.3,1.1,0.1,33.9,0.2,0.1,0.3,0.1,0.3,0.4,0.2,0.1,0.3,0.1,0.1,0.2,0.1,0.6,0.7,0.1,0.1,0.2,0.1,0.1,0.3,32.9,0.3,33.2,0.0]
+                   [IATS(ms)....: 32.5,32.5,1.6,34.3,1.1,0.1,33.9,0.2,0.1,0.3,0.1,0.3,0.4,0.2,0.1,0.3,0.1,0.1,0.2,0.1,0.6,0.7,0.1,0.1,0.2,0.1,0.1,0.3,32.9,0.3,33.2]
                    [PKTLENS.....: 66,66,54,203,60,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54]
           guessed: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] [Starcraft][Game][Fun]
              idle: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] 
diff --git a/test/results/flow-info/stun.pcap.out b/test/results/flow-info/stun.pcap.out
index 0ed7b85bf..e6bd50f82 100644
--- a/test/results/flow-info/stun.pcap.out
+++ b/test/results/flow-info/stun.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 6.9,10132.2,10132.3,10358.5,2.9,10358.5,2.9,10055.4,10055.5,10056.9,10056.9,10057.2,10057.2,10053.9,10054.0,10069.5,10069.5,10027.1,10027.1,10027.3,10027.3,10064.0,10063.9,10098.3,10098.4,10035.5,10035.4,10061.4,10061.4,10028.4,10028.3,0.0]
+                   [IATS(ms)....: 6.9,10132.2,10132.3,10358.5,2.9,10358.5,2.9,10055.4,10055.5,10056.9,10056.9,10057.2,10057.2,10053.9,10054.0,10069.5,10069.5,10027.1,10027.1,10027.3,10027.3,10064.0,10063.9,10098.3,10098.4,10035.5,10035.4,10061.4,10061.4,10028.4,10028.3]
                    [PKTLENS.....: 82,106,82,106,82,82,106,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106]
            update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable]
      DAEMON-EVENT: [Processed: 42 pkts][ZLib][compressions: 0|diff: 0 / 0]
@@ -27,7 +27,7 @@
                    [BINS(c->s)..: 1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1]
-                   [IATS(ms)....: 11.5,15.6,15.9,6004.4,4.7,5997.4,4.5,7.5,7.1,108.4,344.5,499.2,68.5,0.2,19.7,29.0,92.2,23.6,96.4,1.6,50.3,48.3,0.3,50.1,3.3,0.0,52.9,0.4,9.7,44.9,232.2,0.0]
+                   [IATS(ms)....: 11.5,15.6,15.9,6004.4,4.7,5997.4,4.5,7.5,7.1,108.4,344.5,499.2,68.5,0.2,19.7,29.0,92.2,23.6,96.4,1.6,50.3,48.3,0.3,50.1,3.3,0.0,52.9,0.4,9.7,44.9,232.2]
                    [PKTLENS.....: 70,146,178,118,182,182,154,182,154,86,178,178,174,182,142,86,178,142,174,142,178,174,142,178,142,174,142,182,142,86,174,174]
              idle: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable]
      DAEMON-EVENT: [Processed: 117 pkts][ZLib][compressions: 0|diff: 0 / 0]
@@ -47,7 +47,7 @@
                    [BINS(c->s)..: 0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0]
-                   [IATS(ms)....: 22.9,25.6,18.8,27.0,9.0,16.5,8.2,0.0,96.0,9.4,96.1,13.9,9.7,14.0,0.0,0.0,28.4,12.0,233.2,17.4,835.9,625.3,352.7,699.8,203.7,550.7,72.1,9.0,20.6,28.1,14.7,0.0]
+                   [IATS(ms)....: 22.9,25.6,18.8,27.0,9.0,16.5,8.2,0.0,96.0,9.4,96.1,13.9,9.7,14.0,0.0,0.0,28.4,12.0,233.2,17.4,835.9,625.3,352.7,699.8,203.7,550.7,72.1,9.0,20.6,28.1,14.7]
                    [PKTLENS.....: 150,134,195,154,1240,588,134,123,612,123,154,159,175,134,155,107,111,107,127,76,107,154,134,76,124,154,134,108,108,109,109,109]
              idle: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable]
              idle: [.....3] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Network][Acceptable]
diff --git a/test/results/flow-info/stun_signal.pcapng.out b/test/results/flow-info/stun_signal.pcapng.out
index 2289e243b..53949adcf 100644
--- a/test/results/flow-info/stun_signal.pcapng.out
+++ b/test/results/flow-info/stun_signal.pcapng.out
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1]
-                   [IATS(ms)....: 83.9,0.0,92.5,7.8,46.1,91.4,0.0,37.9,40.0,9.1,41.9,367.7,0.1,441.0,0.0,600.8,610.2,117.9,49.9,49.8,64.2,212.9,679.4,8.7,0.0,503.8,102.9,201.0,101.8,9.3,62.2,0.0]
+                   [IATS(ms)....: 83.9,0.0,92.5,7.8,46.1,91.4,0.0,37.9,40.0,9.1,41.9,367.7,0.1,441.0,0.0,600.8,610.2,117.9,49.9,49.8,64.2,212.9,679.4,8.7,0.0,503.8,102.9,201.0,101.8,9.3,62.2]
                    [PKTLENS.....: 138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,98,98,138,106,70,98,70,70,70,138,106,98,70,98]
            update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][Network][Acceptable]
          detected: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.AmazonAWS][Cloud][Acceptable]
@@ -53,7 +53,7 @@
                    [BINS(c->s)..: 0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 4.1,63.0,0.0,180.8,3.5,1499.2,2002.8,0.0,4842.0,0.1,17079.4,30.0,28.1,10.0,178.6,30.7,1472.4,2000.5,31.0,3968.8,29.9,37.3,7.8,7927.3,28.5,35.4,6.5,7931.2,29.2,34.6,5.1,0.0]
+                   [IATS(ms)....: 4.1,63.0,0.0,180.8,3.5,1499.2,2002.8,0.0,4842.0,0.1,17079.4,30.0,28.1,10.0,178.6,30.7,1472.4,2000.5,31.0,3968.8,29.9,37.3,7.8,7927.3,28.5,35.4,6.5,7931.2,29.2,34.6,5.1]
                    [PKTLENS.....: 90,90,98,98,90,90,90,90,90,138,138,90,90,98,98,90,90,90,90,90,90,90,98,98,90,90,98,98,90,90,98,98]
            update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN.AmazonAWS][Cloud][Acceptable]
                    RISK: Known Proto on Non Std Port
@@ -95,7 +95,7 @@
                    [BINS(c->s)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0]
-                   [IATS(ms)....: 68.5,0.1,70.3,29.3,44.7,113.4,0.0,43.2,26.5,8.5,31.0,313.6,0.3,410.7,0.0,665.0,630.5,122.5,190.5,61.6,378.1,7.9,325.5,42.2,76.0,424.9,96.8,5.4,434.3,47.7,66.2,0.0]
+                   [IATS(ms)....: 68.5,0.1,70.3,29.3,44.7,113.4,0.0,43.2,26.5,8.5,31.0,313.6,0.3,410.7,0.0,665.0,630.5,122.5,190.5,61.6,378.1,7.9,325.5,42.2,76.0,424.9,96.8,5.4,434.3,47.7,66.2]
                    [PKTLENS.....: 138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,138,106,98,98,70,70,70,98,138,98,70,106,138,106]
            update: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][VoIP][Acceptable]
            update: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.AmazonAWS][Cloud][Acceptable]
diff --git a/test/results/flow-info/teams.pcap.out b/test/results/flow-info/teams.pcap.out
index 16882c437..ab743f6de 100644
--- a/test/results/flow-info/teams.pcap.out
+++ b/test/results/flow-info/teams.pcap.out
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0]
-                   [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5,0.0]
+                   [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5]
                    [PKTLENS.....: 78,66,54,264,60,1506,1506,54,1506,54,1506,271,54,212,60,380,54,123,54,147,92,312,92,60,54,60,570,54,1506,1506,685,54]
  detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe]
  detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe]
@@ -42,7 +42,7 @@
                    [BINS(c->s)..: 5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0]
-                   [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0,0.0]
+                   [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0]
                    [PKTLENS.....: 78,74,66,240,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494]
  detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -59,7 +59,7 @@
                    [BINS(c->s)..: 7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0]
-                   [IATS(ms)....: 45.3,45.4,0.3,49.2,0.0,48.8,0.2,0.2,1.3,46.5,45.3,1.9,0.0,0.0,47.7,45.8,0.0,0.0,0.0,37.7,37.7,0.0,8.0,8.1,0.0,0.7,37.0,7.8,4.3,49.8,1.3,0.0]
+                   [IATS(ms)....: 45.3,45.4,0.3,49.2,0.0,48.8,0.2,0.2,1.3,46.5,45.3,1.9,0.0,0.0,47.7,45.8,0.0,0.0,0.0,37.7,37.7,0.0,8.0,8.1,0.0,0.7,37.0,7.8,4.3,49.8,1.3]
                    [PKTLENS.....: 78,74,66,272,1506,1389,78,1506,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,839,66,66,66,511,66,97]
           analyse: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -68,7 +68,7 @@
                    [BINS(c->s)..: 8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1]
-                   [IATS(ms)....: 11.4,11.5,0.2,11.3,2.8,0.1,13.8,0.1,0.1,0.1,0.0,0.1,4.8,15.5,11.8,1.3,0.0,0.2,0.0,0.3,0.2,0.0,0.1,10.9,0.0,10.4,1.7,0.2,0.0,50.4,0.0,0.0]
+                   [IATS(ms)....: 11.4,11.5,0.2,11.3,2.8,0.1,13.8,0.1,0.1,0.1,0.0,0.1,4.8,15.5,11.8,1.3,0.0,0.2,0.0,0.3,0.2,0.0,0.1,10.9,0.0,10.4,1.7,0.2,0.0,50.4,0.0]
                    [PKTLENS.....: 78,66,54,268,60,1506,1506,54,1506,54,1506,271,54,212,60,147,380,123,54,54,92,1494,1061,138,60,92,54,60,60,60,1506,1069]
  detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe]
       ERROR-EVENT: Unknown packet type
@@ -149,7 +149,7 @@
                    [BINS(c->s)..: 5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0]
-                   [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8,0.0]
+                   [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8]
                    [PKTLENS.....: 78,74,66,272,66,1506,1506,66,1389,66,159,66,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494]
  detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -165,7 +165,7 @@
                    [BINS(c->s)..: 11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 45.7,45.8,0.2,47.9,0.0,47.7,0.0,0.1,0.2,0.1,0.2,9.9,9.9,3.5,10.4,0.4,51.4,37.1,0.2,0.2,0.2,7.1,7.0,1.3,1.2,79.2,201.4,0.0,0.0,167.5,0.2,0.0]
+                   [IATS(ms)....: 45.7,45.8,0.2,47.9,0.0,47.7,0.0,0.1,0.2,0.1,0.2,9.9,9.9,3.5,10.4,0.4,51.4,37.1,0.2,0.2,0.2,7.1,7.0,1.3,1.2,79.2,201.4,0.0,0.0,167.5,0.2]
                    [PKTLENS.....: 78,66,54,273,1506,1506,66,54,54,1506,1506,54,467,54,212,147,517,105,54,123,54,92,92,54,493,54,60,1494,164,220,60,96]
               new: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] 
          detected: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe]
@@ -185,7 +185,7 @@
                    [BINS(c->s)..: 11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]
                    [BINS(s->c)..: 3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1]
-                   [IATS(ms)....: 34.2,34.3,0.3,36.9,0.0,36.6,0.0,0.2,0.2,0.1,0.0,0.1,1.0,12.0,0.3,36.0,22.7,0.2,0.2,0.1,10.4,10.3,0.6,0.6,77.1,91.7,0.0,49.1,80.4,115.1,0.2,0.0]
+                   [IATS(ms)....: 34.2,34.3,0.3,36.9,0.0,36.6,0.0,0.2,0.2,0.1,0.0,0.1,1.0,12.0,0.3,36.0,22.7,0.2,0.2,0.1,10.4,10.3,0.6,0.6,77.1,91.7,0.0,49.1,80.4,115.1,0.2]
                    [PKTLENS.....: 78,74,66,287,1506,1506,78,66,1506,66,1506,316,66,192,159,547,117,66,135,66,104,104,66,428,66,66,1494,261,66,241,66,1153]
       ERROR-EVENT: Unknown packet type
               new: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] 
@@ -201,7 +201,7 @@
                    [BINS(c->s)..: 9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1]
-                   [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6,0.0]
+                   [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6]
                    [PKTLENS.....: 78,66,54,271,60,1506,1506,54,1506,54,1506,195,54,212,60,380,123,54,54,147,92,575,60,92,54,60,60,454,54,356,60,359]
  detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe]
       ERROR-EVENT: Unknown packet type
@@ -212,7 +212,7 @@
                    [BINS(c->s)..: 9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0]
-                   [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3,0.0]
+                   [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3]
                    [PKTLENS.....: 78,66,54,265,60,1506,1506,54,1506,94,54,212,147,592,186,60,380,123,54,54,92,60,92,54,60,703,54,373,54,1494,708,262]
  detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable]
               new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] 
@@ -265,7 +265,7 @@
                    [BINS(c->s)..: 10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1]
-                   [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2,0.0]
+                   [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2]
                    [PKTLENS.....: 78,66,54,240,60,1506,1506,54,1506,54,1506,182,54,161,60,105,60,105,54,1136,60,1506,1506,54,1331,54,1506,1506,54,54,1506,1506]
  detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -287,7 +287,7 @@
                    [BINS(c->s)..: 9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0]
-                   [IATS(ms)....: 48.6,48.7,0.3,51.0,0.1,50.7,0.0,0.3,0.3,1.7,49.8,48.1,1.4,0.0,0.0,50.5,49.1,0.0,0.0,0.0,37.2,37.2,0.0,11.5,11.5,1.0,36.0,16.0,53.0,0.7,0.1,0.0]
+                   [IATS(ms)....: 48.6,48.7,0.3,51.0,0.1,50.7,0.0,0.3,0.3,1.7,49.8,48.1,1.4,0.0,0.0,50.5,49.1,0.0,0.0,0.0,37.2,37.2,0.0,11.5,11.5,1.0,36.0,16.0,53.0,0.7,0.1]
                    [PKTLENS.....: 78,74,66,272,1506,1506,78,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,999,66,66,511,66,97,66]
       ERROR-EVENT: Unknown packet type
               new: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] 
@@ -314,7 +314,7 @@
                    [BINS(c->s)..: 12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0]
-                   [IATS(ms)....: 29.5,29.6,0.2,45.7,0.2,45.7,0.1,0.1,0.1,0.1,0.0,0.1,0.6,23.2,0.2,30.2,0.0,6.1,0.0,0.2,22.9,22.6,1.5,1.4,2.9,0.0,32.7,0.2,30.1,125.5,125.6,0.0]
+                   [IATS(ms)....: 29.5,29.6,0.2,45.7,0.2,45.7,0.1,0.1,0.1,0.1,0.0,0.1,0.6,23.2,0.2,30.2,0.0,6.1,0.0,0.2,22.9,22.6,1.5,1.4,2.9,0.0,32.7,0.2,30.1,125.5,125.6]
                    [PKTLENS.....: 78,74,66,280,1506,1506,78,1506,66,66,1506,295,66,159,159,438,117,135,66,66,104,104,66,562,66,1379,149,66,108,66,524,66]
               new: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] 
          detected: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Network][Acceptable]
@@ -327,7 +327,7 @@
                    [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]
                    [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1]
-                   [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7,0.0]
+                   [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7]
                    [PKTLENS.....: 78,74,66,272,272,78,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494,1494,66,1476,66,66,66]
  detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -356,7 +356,7 @@
                    [BINS(c->s)..: 11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1]
-                   [IATS(ms)....: 19.2,19.3,0.2,22.0,0.0,21.8,0.0,0.2,0.2,0.2,0.0,0.2,1.1,12.3,0.3,19.9,0.0,6.3,0.0,0.6,12.0,11.4,1.5,1.4,55.0,62.1,0.0,25.5,0.0,18.4,276.9,0.0]
+                   [IATS(ms)....: 19.2,19.3,0.2,22.0,0.0,21.8,0.0,0.2,0.2,0.2,0.0,0.2,1.1,12.3,0.3,19.9,0.0,6.3,0.0,0.6,12.0,11.4,1.5,1.4,55.0,62.1,0.0,25.5,0.0,18.4,276.9]
                    [PKTLENS.....: 78,74,66,288,1506,1506,78,66,1506,66,1506,485,66,192,159,539,117,135,66,66,104,104,66,525,66,66,1060,148,66,108,66,1349]
       ERROR-EVENT: Unknown packet type
           analyse: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Collaborative][Safe]
@@ -366,7 +366,7 @@
                    [BINS(c->s)..: 10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1]
-                   [IATS(ms)....: 47.1,47.2,0.5,44.4,0.0,43.9,0.0,0.0,0.2,0.1,0.0,0.2,0.0,4.4,9.7,0.3,46.5,32.1,0.5,0.4,0.1,18.9,1.4,20.2,62.9,403.2,425.0,8978.2,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 47.1,47.2,0.5,44.4,0.0,43.9,0.0,0.0,0.2,0.1,0.0,0.2,0.0,4.4,9.7,0.3,46.5,32.1,0.5,0.4,0.1,18.9,1.4,20.2,62.9,403.2,425.0,8978.2,0.0,0.0,0.0]
                    [PKTLENS.....: 78,66,54,290,1506,1506,66,54,54,1506,1506,323,54,54,212,147,582,105,54,123,54,92,60,423,54,60,1114,60,425,429,100,92]
               new: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [MIDSTREAM] 
       ERROR-EVENT: Unknown packet type
@@ -448,7 +448,7 @@
                    [BINS(c->s)..: 15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1]
-                   [IATS(ms)....: 45.0,45.1,0.2,47.4,47.2,0.2,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,8.0,0.0,0.0,52.4,1.2,45.6,48.6,92.2,43.7,69.1,0.3,113.5,1566.9,0.0]
+                   [IATS(ms)....: 45.0,45.1,0.2,47.4,47.2,0.2,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,8.0,0.0,0.0,52.4,1.2,45.6,48.6,92.2,43.7,69.1,0.3,113.5,1566.9]
                    [PKTLENS.....: 78,66,54,241,1506,66,1506,602,66,66,1506,602,66,54,602,180,54,54,54,161,60,99,60,105,54,155,238,54,85,54,60,60]
       ERROR-EVENT: Unknown packet type
       ERROR-EVENT: Unknown packet type
@@ -466,7 +466,7 @@
                    [BINS(c->s)..: 0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 24.8,0.2,101.3,1168.2,1167.0,967.1,50.8,1119.2,0.0,0.0,51.0,80.3,2.0,2.7,3.7,0.0,0.0,0.0,10.7,24.2,9.3,21.5,4.5,19.9,25.3,9.2,24.4,24.6,9.5,26.0,24.3,0.0]
+                   [IATS(ms)....: 24.8,0.2,101.3,1168.2,1167.0,967.1,50.8,1119.2,0.0,0.0,51.0,80.3,2.0,2.7,3.7,0.0,0.0,0.0,10.7,24.2,9.3,21.5,4.5,19.9,25.3,9.2,24.4,24.6,9.5,26.0,24.3]
                    [PKTLENS.....: 154,130,154,130,158,130,152,150,80,1256,1256,150,115,80,1256,1256,84,208,140,108,110,117,122,124,116,112,126,120,117,115,116,116]
              idle: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] 
               end: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Collaborative][Safe]
diff --git a/test/results/flow-info/teamviewer.pcap.out b/test/results/flow-info/teamviewer.pcap.out
index bdf9eeb9c..ca632c8eb 100644
--- a/test/results/flow-info/teamviewer.pcap.out
+++ b/test/results/flow-info/teamviewer.pcap.out
@@ -8,7 +8,7 @@
                    [BINS(c->s)..: 5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1]
-                   [IATS(ms)....: 136.3,137.2,0.6,1.8,12.1,11.9,35.7,0.1,35.8,0.0,88.3,88.6,11.6,11.6,151.9,0.1,152.0,35.7,35.9,255.8,274.4,18.6,256.5,257.6,1.1,0.3,0.3,28.9,0.0,29.1,0.0,0.0]
+                   [IATS(ms)....: 136.3,137.2,0.6,1.8,12.1,11.9,35.7,0.1,35.8,0.0,88.3,88.6,11.6,11.6,151.9,0.1,152.0,35.7,35.9,255.8,274.4,18.6,256.5,257.6,1.1,0.3,0.3,28.9,0.0,29.1,0.0]
                    [PKTLENS.....: 74,58,60,91,54,120,54,1514,432,54,54,102,60,201,60,1514,1290,60,1132,54,1143,1155,54,494,110,54,102,54,1514,429,54,54]
               new: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] 
          detected: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable]
@@ -20,7 +20,7 @@
                    [BINS(c->s)..: 0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 12.3,12.3,0.1,40.7,3.9,3.2,6.6,81.8,9.0,0.1,7.4,9.2,442.9,41.9,345.1,0.1,0.0,0.0,0.0,0.0,0.0,2.0,0.1,0.0,9.6,0.1,0.0,51.0,58.8,0.1,0.0,0.0]
+                   [IATS(ms)....: 12.3,12.3,0.1,40.7,3.9,3.2,6.6,81.8,9.0,0.1,7.4,9.2,442.9,41.9,345.1,0.1,0.0,0.0,0.0,0.0,0.0,2.0,0.1,0.0,9.6,0.1,0.0,51.0,58.8,0.1,0.0]
                    [PKTLENS.....: 138,138,506,1066,62,98,90,90,90,191,118,66,66,90,90,1066,1066,1066,1066,1066,1066,1066,1066,1066,1066,182,118,118,58,239,131,85]
            update: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable]
                    RISK: Known Proto on Non Std Port, Desktop/File Sharing
diff --git a/test/results/flow-info/telegram.pcap.out b/test/results/flow-info/telegram.pcap.out
index 528ff31c0..42e1e5e45 100644
--- a/test/results/flow-info/telegram.pcap.out
+++ b/test/results/flow-info/telegram.pcap.out
@@ -34,7 +34,7 @@
                    [BINS(c->s)..: 0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 549.4,0.8,252.8,249.2,102.8,152.8,104.9,141.4,2.6,102.2,252.5,506.2,1089.0,524.5,0.5,254.5,249.1,108.9,146.8,101.0,145.2,2.4,102.1,256.0,497.9,504.7,600.2,564.9,0.4,248.3,249.2,0.0]
+                   [IATS(ms)....: 549.4,0.8,252.8,249.2,102.8,152.8,104.9,141.4,2.6,102.2,252.5,506.2,1089.0,524.5,0.5,254.5,249.1,108.9,146.8,101.0,145.2,2.4,102.1,256.0,497.9,504.7,600.2,564.9,0.4,248.3,249.2]
                    [PKTLENS.....: 142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153]
           analyse: [.....6] [ip6][..udp] [................fe80::4ba:91a:7817:e318][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -43,7 +43,7 @@
                    [BINS(c->s)..: 0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 549.6,0.4,252.7,249.3,102.6,153.3,104.8,140.9,2.6,102.6,252.5,506.2,1088.5,524.6,0.5,254.5,249.4,109.0,147.1,100.8,145.2,1.9,102.6,256.1,498.0,504.7,600.4,564.2,0.4,249.0,248.4,0.0]
+                   [IATS(ms)....: 549.6,0.4,252.7,249.3,102.6,153.3,104.8,140.9,2.6,102.6,252.5,506.2,1088.5,524.6,0.5,254.5,249.4,109.0,147.1,100.8,145.2,1.9,102.6,256.1,498.0,504.7,600.4,564.2,0.4,249.0,248.4]
                    [PKTLENS.....: 162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173]
  detection-update: [.....3] [ip4][..udp] [...192.168.1.53][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable]
  detection-update: [....11] [ip6][..udp] [..............fe80::18a0:a412:8935:c01b][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable]
@@ -84,7 +84,7 @@
                    [BINS(c->s)..: 0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1]
-                   [IATS(ms)....: 33.7,303.8,500.9,195.8,135.7,308.4,212.1,0.7,38.9,154.1,154.5,74.5,133.7,63.7,29.9,38.6,63.9,177.4,37.8,26.0,43.6,64.2,189.8,58.8,4.5,63.5,64.5,43.0,64.5,315.9,64.4,0.0]
+                   [IATS(ms)....: 33.7,303.8,500.9,195.8,135.7,308.4,212.1,0.7,38.9,154.1,154.5,74.5,133.7,63.7,29.9,38.6,63.9,177.4,37.8,26.0,43.6,64.2,189.8,58.8,4.5,63.5,64.5,43.0,64.5,315.9,64.4]
                    [PKTLENS.....: 82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234]
               new: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] 
          detected: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] [DNS.GoogleServices][Web][Acceptable]
@@ -97,7 +97,7 @@
                    [BINS(c->s)..: 0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 176.6,505.7,492.8,1175.3,327.6,331.9,1681.3,64.2,63.5,64.3,42.3,63.9,1998.8,63.8,58.3,64.1,69.6,64.4,57.8,43.1,58.1,62.2,58.1,63.8,58.2,64.2,58.2,62.0,69.6,66.6,57.7,0.0]
+                   [IATS(ms)....: 176.6,505.7,492.8,1175.3,327.6,331.9,1681.3,64.2,63.5,64.3,42.3,63.9,1998.8,63.8,58.3,64.1,69.6,64.4,57.8,43.1,58.1,62.2,58.1,63.8,58.2,64.2,58.2,62.0,69.6,66.6,57.7]
                    [PKTLENS.....: 122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234]
      not-detected: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] [Unknown][Unrated]
               new: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] 
@@ -145,7 +145,7 @@
                    [BINS(c->s)..: 0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1]
-                   [IATS(ms)....: 38.7,504.7,472.2,31.4,48.8,83.1,90.1,75.5,57.5,58.0,58.1,58.1,52.0,386.6,9.5,8.5,27.3,36.0,21.7,40.2,58.1,58.0,58.2,57.9,70.0,57.9,58.0,8.2,436.3,11.3,25.6,0.0]
+                   [IATS(ms)....: 38.7,504.7,472.2,31.4,48.8,83.1,90.1,75.5,57.5,58.0,58.1,58.1,52.0,386.6,9.5,8.5,27.3,36.0,21.7,40.2,58.1,58.0,58.2,57.9,70.0,57.9,58.0,8.2,436.3,11.3,25.6]
                    [PKTLENS.....: 82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106]
               new: [....44] [ip4][..udp] [...192.168.1.77][28150] -> [..87.11.205.195][59772] 
           analyse: [....40] [ip4][..udp] [...192.168.1.77][28150] -> [.....91.108.8.1][..533] [Telegram][Chat][Acceptable]
@@ -155,7 +155,7 @@
                    [BINS(c->s)..: 0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 34.1,504.9,476.9,26.3,48.6,90.1,359.3,474.9,22.9,54.0,44.1,48.8,32.7,70.5,63.7,63.7,64.6,42.0,447.9,51.4,12.5,7.1,54.2,56.0,36.2,28.9,63.9,41.9,63.9,64.6,64.6,0.0]
+                   [IATS(ms)....: 34.1,504.9,476.9,26.3,48.6,90.1,359.3,474.9,22.9,54.0,44.1,48.8,32.7,70.5,63.7,63.7,64.6,42.0,447.9,51.4,12.5,7.1,54.2,56.0,36.2,28.9,63.9,41.9,63.9,64.6,64.6]
                    [PKTLENS.....: 82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218]
               new: [....45] [ip4][..udp] [...192.168.1.53][50698] -> [239.255.255.250][.1900] 
          detected: [....45] [ip4][..udp] [...192.168.1.53][50698] -> [239.255.255.250][.1900] [SSDP][System][Acceptable]
diff --git a/test/results/flow-info/telnet.pcap.out b/test/results/flow-info/telnet.pcap.out
index 8320b0ab7..1e8b35279 100644
--- a/test/results/flow-info/telnet.pcap.out
+++ b/test/results/flow-info/telnet.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0]
-                   [IATS(ms)....: 2.5,2.6,1.6,147.8,146.2,0.2,1.6,1.7,3.3,1.3,0.6,1.8,1.1,2.4,3.6,0.6,1.2,22.3,20.4,1.2,13.8,15.0,1.2,0.8,12.8,12.2,20.0,1107.3,1100.0,1232.8,1.4,0.0]
+                   [IATS(ms)....: 2.5,2.6,1.6,147.8,146.2,0.2,1.6,1.7,3.3,1.3,0.6,1.8,1.1,2.4,3.6,0.6,1.2,22.3,20.4,1.2,13.8,15.0,1.2,0.8,12.8,12.2,20.0,1107.3,1100.0,1232.8,1.4]
                    [PKTLENS.....: 74,74,66,93,69,66,69,66,91,130,66,84,75,66,90,66,151,66,69,69,66,78,72,66,81,66,98,66,73,66,72,66]
  detection-update: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe]
                    RISK: Unsafe Protocol
diff --git a/test/results/flow-info/tftp.pcap.out b/test/results/flow-info/tftp.pcap.out
index 02ae7ad35..cb8c8a3c4 100644
--- a/test/results/flow-info/tftp.pcap.out
+++ b/test/results/flow-info/tftp.pcap.out
@@ -19,7 +19,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: ]
                    [PKTLENS.....: 558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60]
      DAEMON-EVENT: [Processed: 101 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
diff --git a/test/results/flow-info/tinc.pcap.out b/test/results/flow-info/tinc.pcap.out
index 9b715901b..41b85ae11 100644
--- a/test/results/flow-info/tinc.pcap.out
+++ b/test/results/flow-info/tinc.pcap.out
@@ -20,7 +20,7 @@
                    [BINS(c->s)..: 0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0]
                    [BINS(s->c)..: 0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0]
                    [DIRECTIONS..: 0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0]
-                   [IATS(ms)....: 0.2,27.5,0.0,0.0,27.5,0.2,0.1,0.2,0.2,0.1,15.4,0.0,41.8,0.0,0.0,1058.0,0.3,0.3,1003.7,0.1,1.8,0.2,45.3,0.1,0.0,1024.1,0.1,1069.5,0.1,1001.4,0.3,0.0]
+                   [IATS(ms)....: 0.2,27.5,0.0,0.0,27.5,0.2,0.1,0.2,0.2,0.1,15.4,0.0,41.8,0.0,0.0,1058.0,0.3,0.3,1003.7,0.1,1.8,0.2,45.3,0.1,0.0,1024.1,0.1,1069.5,0.1,1001.4,0.3]
                    [PKTLENS.....: 686,734,238,1486,782,230,1270,190,1310,1478,774,686,734,1278,190,1310,1358,1478,1374,1486,1502,1486,1494,1358,1486,1374,1502,1502,1502,1494,1510,1494]
           analyse: [.....4] [ip4][..udp] [.185.83.218.112][55656] -> [.131.114.168.27][55656] [TINC][VPN][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -29,7 +29,7 @@
                    [BINS(c->s)..: 0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0]
                    [BINS(s->c)..: 0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0]
-                   [IATS(ms)....: 0.1,0.0,0.6,0.5,0.2,0.1,1049.1,0.0,0.0,1048.0,0.1,0.2,0.1,0.1,0.1,44.1,0.0,0.0,1044.7,0.3,1022.0,20.6,1001.5,0.3,0.2,363.6,1001.2,0.1,0.1,2412.5,0.0,0.0]
+                   [IATS(ms)....: 0.1,0.0,0.6,0.5,0.2,0.1,1049.1,0.0,0.0,1048.0,0.1,0.2,0.1,0.1,0.1,44.1,0.0,0.0,1044.7,0.3,1022.0,20.6,1001.5,0.3,0.2,363.6,1001.2,0.1,0.1,2412.5,0.0]
                    [PKTLENS.....: 766,1486,958,734,1270,1486,958,1070,670,334,1062,190,1310,526,670,334,190,1310,526,1478,1374,1374,1374,1486,1350,1318,118,1494,1478,1342,1390,1374]
               end: [.....2] [ip4][..tcp] [.131.114.168.27][49290] -> [.185.83.218.112][55656] [TINC][VPN][Acceptable]
                    RISK: Known Proto on Non Std Port
diff --git a/test/results/flow-info/tls-appdata.pcap.out b/test/results/flow-info/tls-appdata.pcap.out
index 49fd8f9c1..a87dbcf3c 100644
--- a/test/results/flow-info/tls-appdata.pcap.out
+++ b/test/results/flow-info/tls-appdata.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9]
                    [DIRECTIONS..: 0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0]
-                   [IATS(ms)....: 2.0,15.0,3.0,16.0,1.0,1.0,15941.0,1.0,15956.0,5.0,19.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 2.0,15.0,3.0,16.0,1.0,1.0,15941.0,1.0,15956.0,5.0,19.0,1.0,1.0]
                    [PKTLENS.....: 1506,74,60,1506,2958,54,2958,54,54,2958,2885,54,54,54,54,1506,74,60,1506,2958,54,2958,54,2958,1506,74,60,1506,2958,54,2958,54]
  detection-update: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS.Twitch][Video][Fun]
      DAEMON-EVENT: [Processed: 45 pkts][ZLib][compressions: 0|diff: 0 / 0]
diff --git a/test/results/flow-info/tls_certificate_too_long.pcap.out b/test/results/flow-info/tls_certificate_too_long.pcap.out
index 91c179f52..10e2d288b 100644
--- a/test/results/flow-info/tls_certificate_too_long.pcap.out
+++ b/test/results/flow-info/tls_certificate_too_long.pcap.out
@@ -76,7 +76,7 @@
                    [BINS(c->s)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
                    [BINS(s->c)..: 2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1]
-                   [IATS(ms)....: 1.3,0.0,22.7,2.8,42.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,66.6,0.0,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 1.3,0.0,22.7,2.8,42.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,66.6,0.0,0.2,0.0,0.0,0.0]
                    [PKTLENS.....: 1502,936,1502,1502,1020,54,54,1372,166,112,269,281,285,281,267,273,287,273,275,275,271,281,273,283,273,114,54,54,254,275,341,96]
           analyse: [....25] [ip4][..tcp] [..192.168.1.121][53428] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -85,7 +85,7 @@
                    [BINS(c->s)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1]
-                   [IATS(ms)....: 0.0,1.1,23.2,47.6,37.0,0.0,0.0,0.0,0.0,0.0,11.7,0.4,0.5,9.9,10.2,0.0,0.6,25.3,48.0,32.2,0.0,8.7,0.4,0.0,0.0,0.0,0.0,0.0,0.0,0.5,13.0,0.0]
+                   [IATS(ms)....: 0.0,1.1,23.2,47.6,37.0,0.0,0.0,0.0,0.0,0.0,11.7,0.4,0.5,9.9,10.2,0.0,0.6,25.3,48.0,32.2,0.0,8.7,0.4,0.0,0.0,0.0,0.0,0.0,0.0,0.5,13.0]
                    [PKTLENS.....: 1502,936,1292,54,1292,1366,189,273,452,96,99,54,88,54,66,1502,935,708,54,708,1003,445,54,193,253,295,137,96,99,88,54,66]
               new: [....26] [ip4][..tcp] [..192.168.1.121][53914] -> [...40.113.10.47][..443] 
               new: [....27] [ip4][..tcp] [..192.168.1.121][53915] -> [...40.113.10.47][..443] 
diff --git a/test/results/flow-info/tls_long_cert.pcap.out b/test/results/flow-info/tls_long_cert.pcap.out
index 782424c97..dffce61ca 100644
--- a/test/results/flow-info/tls_long_cert.pcap.out
+++ b/test/results/flow-info/tls_long_cert.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1]
-                   [IATS(ms)....: 25.2,25.3,0.3,30.1,3.3,1.1,34.2,0.8,0.7,1.9,1.9,0.8,8.4,0.4,28.1,18.6,6.5,0.6,7.1,0.1,26.0,0.0,0.0,25.9,0.0,0.1,0.2,0.2,0.7,0.0,0.0,0.0]
+                   [IATS(ms)....: 25.2,25.3,0.3,30.1,3.3,1.1,34.2,0.8,0.7,1.9,1.9,0.8,8.4,0.4,28.1,18.6,6.5,0.6,7.1,0.1,26.0,0.0,0.0,25.9,0.0,0.1,0.2,0.2,0.7,0.0,0.0]
                    [PKTLENS.....: 78,74,66,583,66,1514,1514,66,1266,66,855,66,192,159,902,308,66,66,143,66,104,1119,1119,1514,66,66,66,724,66,1514,1514,1514]
               end: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe]
      DAEMON-EVENT: shutdown
diff --git a/test/results/flow-info/tls_verylong_certificate.pcap.out b/test/results/flow-info/tls_verylong_certificate.pcap.out
index 582d53efb..f1f2b5af4 100644
--- a/test/results/flow-info/tls_verylong_certificate.pcap.out
+++ b/test/results/flow-info/tls_verylong_certificate.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 11.6,11.7,5.7,17.7,3.1,0.2,15.2,0.1,0.1,0.1,0.0,0.1,10.6,21.7,11.2,0.3,14.9,0.0,0.0,14.6,0.0,0.0,0.3,0.3,0.0,0.6,0.0,0.5,0.5,0.1,0.0,0.0]
+                   [IATS(ms)....: 11.6,11.7,5.7,17.7,3.1,0.2,15.2,0.1,0.1,0.1,0.0,0.1,10.6,21.7,11.2,0.3,14.9,0.0,0.0,14.6,0.0,0.0,0.3,0.3,0.0,0.6,0.0,0.5,0.5,0.1,0.0]
                    [PKTLENS.....: 78,74,66,583,66,1434,1434,66,1434,66,1434,276,66,192,117,66,236,1434,1434,118,66,66,66,1434,1434,118,66,66,1434,66,1434,118]
  detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe]
               end: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe]
diff --git a/test/results/flow-info/tor.pcap.out b/test/results/flow-info/tor.pcap.out
index a89d330de..20561d889 100644
--- a/test/results/flow-info/tor.pcap.out
+++ b/test/results/flow-info/tor.pcap.out
@@ -51,7 +51,7 @@
                    [BINS(c->s)..: 4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 143.8,144.2,0.4,152.7,0.2,159.6,171.7,164.7,190.9,0.1,190.7,0.6,185.1,185.5,145.1,5.7,151.7,184.2,104.7,290.0,146.6,2536.0,2930.5,30770.7,31166.0,0.9,147.0,185.7,696.5,885.2,147.1,0.0]
+                   [IATS(ms)....: 143.8,144.2,0.4,152.7,0.2,159.6,171.7,164.7,190.9,0.1,190.7,0.6,185.1,185.5,145.1,5.7,151.7,184.2,104.7,290.0,146.6,2536.0,2930.5,30770.7,31166.0,0.9,147.0,185.7,696.5,885.2,147.1]
                    [PKTLENS.....: 66,66,60,278,54,983,252,113,128,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]
           analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Web][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -60,7 +60,7 @@
                    [BINS(c->s)..: 5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1]
-                   [IATS(ms)....: 71.0,71.3,6.7,104.3,10.8,112.6,88.6,84.6,73.7,0.1,73.7,0.8,108.4,107.7,67.8,2.3,74.6,103.6,101.8,113.4,368.7,686.5,37720.4,37995.8,68.2,67.5,104.0,189.0,360.8,68.7,0.2,0.0]
+                   [IATS(ms)....: 71.0,71.3,6.7,104.3,10.8,112.6,88.6,84.6,73.7,0.1,73.7,0.8,108.4,107.7,67.8,2.3,74.6,103.6,101.8,113.4,368.7,686.5,37720.4,37995.8,68.2,67.5,104.0,189.0,360.8,68.7,0.2]
                    [PKTLENS.....: 66,66,60,269,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,640,640,54,640,60,640,54,640,54,640,1514,60,1514,1514]
       ERROR-EVENT: Unknown packet type
       ERROR-EVENT: Unknown packet type
@@ -108,7 +108,7 @@
                    [BINS(c->s)..: 6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0]
-                   [IATS(ms)....: 73.4,74.4,0.4,74.1,3.2,80.2,86.1,83.2,77.3,0.1,76.2,0.8,117.2,116.3,75.2,24.0,101.9,114.5,465.6,429.3,3.5,80.8,117.0,388.8,507.3,75.9,393.9,666.2,34353.1,34399.0,71328.4,0.0]
+                   [IATS(ms)....: 73.4,74.4,0.4,74.1,3.2,80.2,86.1,83.2,77.3,0.1,76.2,0.8,117.2,116.3,75.2,24.0,101.9,114.5,465.6,429.3,3.5,80.8,117.0,388.8,507.3,75.9,393.9,666.2,34353.1,34399.0,71328.4]
                    [PKTLENS.....: 66,66,60,276,54,803,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,54,640,640,54,640,640,54,640,60,640,60,60]
       ERROR-EVENT: Unknown packet type
       ERROR-EVENT: Unknown packet type
@@ -142,7 +142,7 @@
                    [BINS(c->s)..: 4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 64.4,65.8,9.5,82.1,4.2,79.8,91.0,88.4,79.6,0.1,78.2,0.9,110.0,109.4,69.1,1.5,80.2,113.6,35.7,145.8,70.8,343.7,637.5,693.9,990.9,1.6,72.0,109.0,69.0,180.1,69.9,0.0]
+                   [IATS(ms)....: 64.4,65.8,9.5,82.1,4.2,79.8,91.0,88.4,79.6,0.1,78.2,0.9,110.0,109.4,69.1,1.5,80.2,113.6,35.7,145.8,70.8,343.7,637.5,693.9,990.9,1.6,72.0,109.0,69.0,180.1,69.9]
                    [PKTLENS.....: 66,66,60,267,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]
       ERROR-EVENT: Unknown packet type
           analyse: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Web][Safe]
@@ -152,7 +152,7 @@
                    [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0]
-                   [IATS(ms)....: 143.9,144.3,0.7,149.5,37.2,196.0,163.6,154.0,192.3,56.2,0.2,255.1,2.1,152.8,143.9,143.9,44.6,192.1,147.6,608.5,755.3,145.5,149.4,149.8,132.7,281.6,155.0,87.8,477.2,367.8,127.5,0.0]
+                   [IATS(ms)....: 143.9,144.3,0.7,149.5,37.2,196.0,163.6,154.0,192.3,56.2,0.2,255.1,2.1,152.8,143.9,143.9,44.6,192.1,147.6,608.5,755.3,145.5,149.4,149.8,132.7,281.6,155.0,87.8,477.2,367.8,127.5]
                    [PKTLENS.....: 66,66,60,264,54,983,252,113,128,54,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,54,640,640,54,640,60,640,66]
               end: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Web][Safe]
                    RISK: Obsolete TLS (v1.1 or older)
@@ -249,7 +249,7 @@
                    [BINS(c->s)..: 9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0]
-                   [IATS(ms)....: 59.4,61.6,13.8,72.1,2.1,62.9,63.5,60.0,79.4,0.3,78.8,1.7,98.3,96.6,56.5,4.5,61.8,64.9,64.0,73.7,275.7,252.8,50.8,9.7,261.4,61538.3,61491.4,72591.4,72890.0,4.0,98.0,0.0]
+                   [IATS(ms)....: 59.4,61.6,13.8,72.1,2.1,62.9,63.5,60.0,79.4,0.3,78.8,1.7,98.3,96.6,56.5,4.5,61.8,64.9,64.0,73.7,275.7,252.8,50.8,9.7,261.4,61538.3,61491.4,72591.4,72890.0,4.0,98.0]
                    [PKTLENS.....: 66,66,60,263,54,797,188,113,128,1514,140,60,640,54,640,54,640,640,640,640,640,60,640,66,640,60,640,60,60,54,54,60]
       ERROR-EVENT: Unknown packet type
       ERROR-EVENT: Unknown packet type
diff --git a/test/results/flow-info/trickbot.pcap.out b/test/results/flow-info/trickbot.pcap.out
index 9bafcdc01..92b72e29b 100644
--- a/test/results/flow-info/trickbot.pcap.out
+++ b/test/results/flow-info/trickbot.pcap.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0]
                    [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1]
-                   [IATS(ms)....: 245.7,245.9,0.2,0.1,0.5,0.0,931.1,931.3,2.3,2.3,480.2,0.0,480.3,297.6,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,297.7,227.9,227.9,482.9,0.0,0.0,0.0]
+                   [IATS(ms)....: 245.7,245.9,0.2,0.1,0.5,0.0,931.1,931.3,2.3,2.3,480.2,0.0,480.3,297.6,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,297.7,227.9,227.9,482.9,0.0,0.0]
                    [PKTLENS.....: 66,58,54,403,982,54,54,1412,54,1412,54,1514,1337,54,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,290,54,1412,54,1514,1514,1208]
               end: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable]
                    RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, HTTP Suspicious Content
diff --git a/test/results/flow-info/tumblr.pcap.out b/test/results/flow-info/tumblr.pcap.out
index 3510c7fa4..2d30b88e6 100644
--- a/test/results/flow-info/tumblr.pcap.out
+++ b/test/results/flow-info/tumblr.pcap.out
@@ -18,7 +18,7 @@
                    [BINS(c->s)..: 11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 0.9,91.7,194.1,0.0,0.0,2.8,104.4,700.9,700.8,1.3,5.8,45.0,0.4,357.1,395.3,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.9,91.7,194.1,0.0,0.0,2.8,104.4,700.9,700.8,1.3,5.8,45.0,0.4,357.1,395.3,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 468,125,125,86,86,86,125,86,958,86,121,198,86,86,1474,86,98,1486,1486,1486,1486,849,1486,1486,86,86,86,86,86,86,86,86]
               new: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [MIDSTREAM] 
          detected: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe]
@@ -32,7 +32,7 @@
                    [BINS(c->s)..: 14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0]
-                   [IATS(ms)....: 0.5,25.9,1.1,10.6,37.1,1.9,0.0,1.9,0.0,0.7,0.7,9.9,9.9,0.1,0.0,0.1,0.0,0.2,0.2,0.1,0.1,0.3,0.3,0.1,0.1,0.5,0.0,0.5,0.0,0.1,0.1,0.0]
+                   [IATS(ms)....: 0.5,25.9,1.1,10.6,37.1,1.9,0.0,1.9,0.0,0.7,0.7,9.9,9.9,0.1,0.0,0.1,0.0,0.2,0.2,0.1,0.1,0.3,0.3,0.1,0.1,0.5,0.0,0.5,0.0,0.1,0.1]
                    [PKTLENS.....: 246,237,86,86,905,86,125,1474,86,86,98,86,1486,86,1486,1474,86,86,98,86,1486,86,1486,86,1474,86,98,1474,86,86,98,86]
  detection-update: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe]
          detected: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe]
@@ -43,7 +43,7 @@
                    [BINS(c->s)..: 12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]
-                   [IATS(ms)....: 0.4,4.8,0.4,27.2,3.0,0.3,2.7,17.3,45.1,0.5,0.5,0.6,0.0,0.6,0.0,7.3,0.0,7.3,0.0,0.3,0.0,0.2,0.0,0.2,0.0,0.2,0.0,1.0,0.0,1.0,0.0,0.0]
+                   [IATS(ms)....: 0.4,4.8,0.4,27.2,3.0,0.3,2.7,17.3,45.1,0.5,0.5,0.6,0.0,0.6,0.0,7.3,0.0,7.3,0.0,0.3,0.0,0.2,0.0,0.2,0.0,0.2,0.0,1.0,0.0,1.0,0.0]
                    [PKTLENS.....: 198,125,197,186,86,86,86,86,1486,86,1486,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86]
  detection-update: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe]
               new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] 
@@ -57,7 +57,7 @@
                    [BINS(c->s)..: 10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0]
-                   [IATS(ms)....: 33.2,33.2,0.5,47.7,47.2,1.2,37.7,2.1,38.6,0.0,0.0,0.8,0.7,0.8,0.8,2.6,0.2,0.2,0.1,26.3,0.6,0.0,0.1,1.4,25.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 33.2,33.2,0.5,47.7,47.2,1.2,37.7,2.1,38.6,0.0,0.0,0.8,0.7,0.8,0.8,2.6,0.2,0.2,0.1,26.3,0.6,0.0,0.1,1.4,25.2,0.0]
                    [PKTLENS.....: 94,94,86,603,86,185,86,609,86,1294,1294,1294,86,86,86,558,86,1069,86,160,178,343,142,86,86,86,86,341,341,182,86,86]
               new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] 
               new: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] 
@@ -73,7 +73,7 @@
                    [BINS(c->s)..: 8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 0.4,0.1,0.4,0.2,26.4,36.6,2.2,0.4,10.0,21.7,0.2,0.2,0.2,0.2,0.4,0.0,0.2,0.5,0.0,0.6,0.1,0.1,0.1,0.2,0.5,0.0,0.6,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 0.4,0.1,0.4,0.2,26.4,36.6,2.2,0.4,10.0,21.7,0.2,0.2,0.2,0.2,0.4,0.0,0.2,0.5,0.0,0.6,0.1,0.1,0.1,0.2,0.5,0.0,0.6]
                    [PKTLENS.....: 206,125,215,216,157,122,86,86,86,86,86,1486,86,1486,86,1474,98,1486,86,86,1474,98,1341,117,86,86,125,1474,86,98,1474,86]
  detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [TLS][Web][Safe]
               new: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [MIDSTREAM] 
@@ -93,7 +93,7 @@
                    [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 22.6,22.7,0.4,30.7,24.8,0.0,0.0,54.9,0.0,0.0,0.0,0.0,0.0,1.5,0.2,0.1,59.7,70.2,0.0,28.6,37.1,0.5,0.0,0.0,0.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 22.6,22.7,0.4,30.7,24.8,0.0,0.0,54.9,0.0,0.0,0.0,0.0,0.0,1.5,0.2,0.1,59.7,70.2,0.0,28.6,37.1,0.5,0.0,0.0,0.5,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1486,1486,1382,1486,86,86,86,86,207,86,150,178,417,417,86,86,86,357,86,357,148,117,1486,422,86,86,86]
               new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] [MIDSTREAM] 
               new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [MIDSTREAM] 
@@ -127,7 +127,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 21.4,21.5,0.5,29.5,160.4,189.4,0.2,0.2,0.0,0.8,0.8,3.8,0.1,0.2,28.7,0.0,1.0,78.0,0.0,103.6,0.1,0.7,29.8,79.1,108.2,0.1,0.1,0.4,0.4,0.1,0.0,0.0]
+                   [IATS(ms)....: 21.4,21.5,0.5,29.5,160.4,189.4,0.2,0.2,0.0,0.8,0.8,3.8,0.1,0.2,28.7,0.0,1.0,78.0,0.0,103.6,0.1,0.7,29.8,79.1,108.2,0.1,0.1,0.4,0.4,0.1]
                    [PKTLENS.....: 94,94,86,603,86,1486,86,1486,1382,86,86,1087,86,171,177,537,86,86,86,352,156,86,86,116,86,1486,86,1486,86,1486,86,1486]
  detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun]
               new: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] 
@@ -141,7 +141,7 @@
                    [BINS(c->s)..: 13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1]
-                   [IATS(ms)....: 19473.3,0.3,19513.6,40.0,0.1,0.0,0.0,0.0,0.0,0.6,0.6,1.1,0.0,0.0,0.0,1.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 19473.3,0.3,19513.6,40.0,0.1,0.0,0.0,0.0,0.0,0.6,0.6,1.1,0.0,0.0,0.0,1.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.0,0.0]
                    [PKTLENS.....: 86,172,132,86,1134,86,1134,1134,86,86,1134,86,1134,86,1134,1134,1134,1134,1134,1134,1134,86,86,86,86,86,86,86,1134,1134,1134,1134]
  detection-update: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Web][Safe]
          detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable]
@@ -154,7 +154,7 @@
                    [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0]
-                   [IATS(ms)....: 67.4,67.5,0.3,44.1,5.3,0.0,49.1,0.0,0.1,0.1,18.6,10.2,0.7,42.4,12.9,0.2,14.3,2.0,0.0,16.1,2.6,0.0,2.6,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0]
+                   [IATS(ms)....: 67.4,67.5,0.3,44.1,5.3,0.0,49.1,0.0,0.1,0.1,18.6,10.2,0.7,42.4,12.9,0.2,14.3,2.0,0.0,16.1,2.6,0.0,2.6,0.0,0.1,0.0,0.0,0.0,0.0]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,586,86,150,178,364,86,666,86,117,86,117,86,86,535,1294,86,86,1294,1294,1294,86,86,86]
           analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -163,7 +163,7 @@
                    [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1]
-                   [IATS(ms)....: 30.3,30.3,0.2,70.7,12.6,0.0,0.0,83.0,0.1,0.0,0.9,32.4,31.5,5.9,16.3,0.1,34.6,1.9,14.2,7.2,10.7,16.9,0.0,0.0,34.7,0.0,0.0,0.0,0.9,0.0,0.0,0.0]
+                   [IATS(ms)....: 30.3,30.3,0.2,70.7,12.6,0.0,0.0,83.0,0.1,0.0,0.9,32.4,31.5,5.9,16.3,0.1,34.6,1.9,14.2,7.2,10.7,16.9,0.0,0.0,34.7,0.0,0.0,0.0,0.9]
                    [PKTLENS.....: 94,94,86,603,86,1294,1294,325,86,86,86,150,86,666,86,178,117,344,86,117,86,86,86,999,1294,1294,1294,86,86,86,86,1294]
          detected: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][55560] -> [...............2a00:1450:4007:817::200a][..443] [TLS][Web][Safe]
          detected: [.....7] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS][Web][Safe]
@@ -178,7 +178,7 @@
                    [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]
-                   [IATS(ms)....: 29.5,29.5,0.2,37.9,9.0,46.8,0.7,0.1,31.0,1.8,7.0,39.1,52.6,52.7,371.9,406.4,20.7,55.2,2.5,32.9,9.3,39.7,16556.7,16588.7,11.4,43.4,16.9,58.4,9.8,93.2,46.8,0.0]
+                   [IATS(ms)....: 29.5,29.5,0.2,37.9,9.0,46.8,0.7,0.1,31.0,1.8,7.0,39.1,52.6,52.7,371.9,406.4,20.7,55.2,2.5,32.9,9.3,39.7,16556.7,16588.7,11.4,43.4,16.9,58.4,9.8,93.2,46.8]
                    [PKTLENS.....: 94,94,86,706,86,356,86,166,503,86,86,373,86,1273,86,838,86,869,86,850,86,356,86,514,86,1365,86,658,86,686,86,670]
               new: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40190] -> [...............2a00:1450:4007:80a::200a][..443] [MIDSTREAM] 
           guessed: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48988] -> [...............2a00:1450:4007:811::2004][..443] [TLS][Web][Safe]
diff --git a/test/results/flow-info/tunnelbear.pcap.out b/test/results/flow-info/tunnelbear.pcap.out
index 9f143a4ff..581124cef 100644
--- a/test/results/flow-info/tunnelbear.pcap.out
+++ b/test/results/flow-info/tunnelbear.pcap.out
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 4.8,10.8,0.0,6.0,71.1,71.7,62.5,63.1,0.2,0.1,0.1,0.1,2.3,2.2,58.3,58.8,0.5,0.2,0.2,0.1,0.2,0.1,0.6,0.8,214.5,265.9,52.4,51.4,53.8,54.6,51.8,0.0]
+                   [IATS(ms)....: 4.8,10.8,0.0,6.0,71.1,71.7,62.5,63.1,0.2,0.1,0.1,0.1,2.3,2.2,58.3,58.8,0.5,0.2,0.2,0.1,0.2,0.1,0.6,0.8,214.5,265.9,52.4,51.4,53.8,54.6,51.8]
                    [PKTLENS.....: 74,54,54,571,54,3711,54,147,54,590,54,590,54,319,54,390,375,54,590,54,164,54,54,92,54,1646,54,705,54,366,54,2885]
               new: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] 
               new: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] 
@@ -41,7 +41,7 @@
                    [BINS(c->s)..: 9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0]
-                   [IATS(ms)....: 3.4,3.9,2.0,2.9,57.3,108.0,0.8,51.4,0.3,0.1,0.1,0.1,0.1,0.1,50.9,51.9,1.0,50.4,50.8,196.8,233.7,37.7,51.5,50.9,51.1,0.1,51.0,0.5,0.2,0.4,1.0,0.0]
+                   [IATS(ms)....: 3.4,3.9,2.0,2.9,57.3,108.0,0.8,51.4,0.3,0.1,0.1,0.1,0.1,0.1,50.9,51.9,1.0,50.4,50.8,196.8,233.7,37.7,51.5,50.9,51.1,0.1,51.0,0.5,0.2,0.4,1.0]
                    [PKTLENS.....: 74,54,54,571,54,210,54,105,54,590,54,590,54,317,54,132,377,54,92,54,803,54,227,54,92,54,85,54,54,54,54,54]
               new: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [MIDSTREAM] 
          detected: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable]
@@ -97,7 +97,7 @@
                    [BINS(c->s)..: 3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1]
-                   [IATS(ms)....: 4.1,5.3,2.0,3.4,237.7,240.1,0.0,2.4,9.3,9.4,0.2,0.1,1.4,1.5,0.1,0.1,0.1,0.1,100.5,152.6,52.3,7.0,20.6,16.0,10.0,8.0,0.8,1.3,7.0,6.2,340.4,0.0]
+                   [IATS(ms)....: 4.1,5.3,2.0,3.4,237.7,240.1,0.0,2.4,9.3,9.4,0.2,0.1,1.4,1.5,0.1,0.1,0.1,0.1,100.5,152.6,52.3,7.0,20.6,16.0,10.0,8.0,0.8,1.3,7.0,6.2,340.4]
                    [PKTLENS.....: 74,54,54,571,54,210,54,105,54,107,54,140,54,590,54,590,54,179,54,123,92,54,92,375,54,590,54,162,54,377,54,2954]
               new: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] 
          detected: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable]
diff --git a/test/results/flow-info/ultrasurf.pcap.out b/test/results/flow-info/ultrasurf.pcap.out
index 92e0ffd86..7bbe734e6 100644
--- a/test/results/flow-info/ultrasurf.pcap.out
+++ b/test/results/flow-info/ultrasurf.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10]
                    [BINS(s->c)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 0.0,21.3,0.0,11.0,29.1,61.5,0.0,10.8,0.0,9.2,30.8,10.8,0.0,20.0,0.0,29.3,0.0,0.0,0.0,9.3,30.6,150.5,0.0,11.9,141.8,0.0,17.9,20.0,0.0,20.0,10.1,0.0]
+                   [IATS(ms)....: 0.0,21.3,0.0,11.0,29.1,61.5,0.0,10.8,0.0,9.2,30.8,10.8,0.0,20.0,0.0,29.3,0.0,0.0,0.0,9.3,30.6,150.5,0.0,11.9,141.8,0.0,17.9,20.0,0.0,20.0,10.1]
                    [PKTLENS.....: 2646,2646,1358,1358,2646,2646,98,98,1358,1358,2646,98,1358,1358,1350,2646,98,98,98,98,1358,98,1358,1358,2646,98,98,2646,1358,1358,2646,2646]
               new: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] 
          detected: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe]
@@ -24,7 +24,7 @@
                    [BINS(c->s)..: 7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0]
                    [BINS(s->c)..: 4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1]
-                   [IATS(ms)....: 211.2,260.4,0.0,269.6,0.0,10.1,9.9,260.4,0.0,20.0,20.0,10.9,0.0,270.8,9.7,0.0,10.3,229.5,0.0,20.0,40.1,29.9,0.0,10.1,29.9,210.9,0.0,0.0,0.0,9.4,0.0,0.0]
+                   [IATS(ms)....: 211.2,260.4,0.0,269.6,0.0,10.1,9.9,260.4,0.0,20.0,20.0,10.9,0.0,270.8,9.7,0.0,10.3,229.5,0.0,20.0,40.1,29.9,0.0,10.1,29.9,210.9,0.0,0.0,0.0,9.4,0.0]
                    [PKTLENS.....: 78,78,70,587,70,1358,1358,1274,70,70,70,134,156,708,125,105,101,126,101,70,112,1418,104,1166,698,668,70,105,262,205,105,131]
               new: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] 
          detected: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe]
@@ -38,7 +38,7 @@
                    [BINS(c->s)..: 7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0]
                    [BINS(s->c)..: 3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 209.5,239.7,0.0,251.1,0.0,11.4,0.0,260.7,0.0,9.6,20.0,20.0,269.1,20.0,0.0,231.0,0.0,20.0,0.0,0.0,0.0,0.0,0.0,249.6,0.0,0.0,0.0,0.0,10.1,0.0,0.0,0.0]
+                   [IATS(ms)....: 209.5,239.7,0.0,251.1,0.0,11.4,0.0,260.7,0.0,9.6,20.0,20.0,269.1,20.0,0.0,231.0,0.0,20.0,0.0,0.0,0.0,0.0,0.0,249.6,0.0,0.0,0.0,0.0,10.1,0.0,0.0]
                    [PKTLENS.....: 78,78,70,587,70,1358,1358,1274,70,70,70,134,386,125,105,157,70,101,1418,446,1418,498,268,252,70,105,131,218,262,105,205,1358]
               end: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable]
               end: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe]
diff --git a/test/results/flow-info/viber.pcap.out b/test/results/flow-info/viber.pcap.out
index 5be65d076..dfa723c25 100644
--- a/test/results/flow-info/viber.pcap.out
+++ b/test/results/flow-info/viber.pcap.out
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0]
-                   [IATS(ms)....: 19.5,21.7,1.0,22.3,3.2,0.2,0.0,0.2,39.4,0.1,0.6,0.3,10.8,47.8,22.3,40.8,0.3,0.1,0.2,0.3,0.0,0.2,0.3,0.2,0.2,0.5,41.2,0.1,0.0,0.0,1.1,0.0]
+                   [IATS(ms)....: 19.5,21.7,1.0,22.3,3.2,0.2,0.0,0.2,39.4,0.1,0.6,0.3,10.8,47.8,22.3,40.8,0.3,0.1,0.2,0.3,0.0,0.2,0.3,0.2,0.2,0.5,41.2,0.1,0.0,0.0,1.1]
                    [PKTLENS.....: 74,74,66,249,66,1514,1514,1514,411,66,66,66,66,192,308,774,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,808,66,66,66,66,66]
  detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable]
               new: [....11] [ip4][..udp] [...192.168.0.17][41993] -> [.172.217.23.106][..443] 
@@ -66,7 +66,7 @@
                    [BINS(c->s)..: 4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0]
-                   [IATS(ms)....: 54.2,95.9,0.3,44.0,41.8,57.0,16.1,92.1,91.6,10563.9,10701.7,4192.1,4152.7,4422.1,4422.1,309.5,309.6,21.6,197.0,0.1,215.0,3974.5,3934.9,3635.3,52.6,3635.3,52.6,12.7,140.8,167.5,4361.2,0.0]
+                   [IATS(ms)....: 54.2,95.9,0.3,44.0,41.8,57.0,16.1,92.1,91.6,10563.9,10701.7,4192.1,4152.7,4422.1,4422.1,309.5,309.6,21.6,197.0,0.1,215.0,3974.5,3934.9,3635.3,52.6,3635.3,52.6,12.7,140.8,167.5,4361.2]
                    [PKTLENS.....: 167,122,66,142,66,508,130,66,134,66,163,66,160,66,160,66,405,66,164,66,150,66,160,66,160,424,66,66,164,150,66,596]
           guessed: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][VoIP][Acceptable]
          detected: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][VoIP][Acceptable]
@@ -86,7 +86,7 @@
                    [BINS(c->s)..: 6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 0.1,33.1,500.3,500.3,503.5,15.2,503.2,15.3,516.1,515.7,477.7,477.6,36.8,36.8,525.0,525.0,440.4,440.7,68.1,67.8,523.1,523.2,412.0,411.8,84.1,84.2,517.8,517.8,399.8,399.7,114.8,0.0]
+                   [IATS(ms)....: 0.1,33.1,500.3,500.3,503.5,15.2,503.2,15.3,516.1,515.7,477.7,477.6,36.8,36.8,525.0,525.0,440.4,440.7,68.1,67.8,523.1,523.2,412.0,411.8,84.1,84.2,517.8,517.8,399.8,399.7,114.8]
                    [PKTLENS.....: 299,62,118,299,118,62,299,76,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299]
               new: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] 
               new: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] 
@@ -101,7 +101,7 @@
                    [BINS(c->s)..: 10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 2.5,0.1,31.7,2.3,505.5,505.7,496.9,2.1,6.7,496.6,8.7,505.3,505.4,490.8,0.1,15.0,490.7,15.1,513.2,513.2,531.4,0.1,0.0,531.4,0.2,492.9,493.0,448.2,0.1,448.1,58.4,0.0]
+                   [IATS(ms)....: 2.5,0.1,31.7,2.3,505.5,505.7,496.9,2.1,6.7,496.6,8.7,505.3,505.4,490.8,0.1,15.0,490.7,15.1,513.2,513.2,531.4,0.1,0.0,531.4,0.2,492.9,493.0,448.2,0.1,448.1,58.4]
                    [PKTLENS.....: 299,60,62,118,76,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,76,299]
               new: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] 
          detected: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Web][Acceptable]
diff --git a/test/results/flow-info/vnc.pcap.out b/test/results/flow-info/vnc.pcap.out
index 460456186..4b435b887 100644
--- a/test/results/flow-info/vnc.pcap.out
+++ b/test/results/flow-info/vnc.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1]
-                   [IATS(ms)....: 0.5,38.8,49.9,50.3,38.8,37.1,157.8,7.0,164.5,0.7,37.5,0.2,0.0,36.4,0.0,37.3,1.2,0.0,0.2,0.7,0.0,0.7,0.5,199.0,310.3,0.0,0.1,545.3,0.7,22.3,59.5,0.0]
+                   [IATS(ms)....: 0.5,38.8,49.9,50.3,38.8,37.1,157.8,7.0,164.5,0.7,37.5,0.2,0.0,36.4,0.0,37.3,1.2,0.0,0.2,0.7,0.0,0.7,0.5,199.0,310.3,0.0,0.1,545.3,0.7,22.3,59.5]
                    [PKTLENS.....: 66,66,60,66,66,62,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,54,77,54,84,82,86,60,60,81,54]
               new: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] 
          detected: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable]
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0]
-                   [IATS(ms)....: 0.1,37.5,48.7,49.6,38.3,36.9,46.4,48.5,45.7,1.7,45.5,0.2,37.4,0.5,0.4,36.8,3.0,39.9,0.8,0.2,0.8,0.8,0.2,0.0,1.0,501.8,0.0,0.7,538.8,0.0,97.7,0.0]
+                   [IATS(ms)....: 0.1,37.5,48.7,49.6,38.3,36.9,46.4,48.5,45.7,1.7,45.5,0.2,37.4,0.5,0.4,36.8,3.0,39.9,0.8,0.2,0.8,0.8,0.2,0.0,1.0,501.8,0.0,0.7,538.8,0.0,97.7]
                    [PKTLENS.....: 66,66,60,66,66,62,60,54,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,77,54,84,82,86,60,60,81]
              idle: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable]
                    RISK: Known Proto on Non Std Port, Desktop/File Sharing
diff --git a/test/results/flow-info/vxlan.pcap.out b/test/results/flow-info/vxlan.pcap.out
index cc3e2a4f5..42f7c2f34 100644
--- a/test/results/flow-info/vxlan.pcap.out
+++ b/test/results/flow-info/vxlan.pcap.out
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 10.5,1.4,0.1,0.0,11.4,0.5,9.5,113.3,10.6,140.6,0.1,0.1,3.1,0.2,0.6,0.2,1.3,0.2,1.3,3.6,0.2,0.4,0.2,2.3,0.2,0.3,0.2,0.8,0.2,0.7,0.2,0.0]
+                   [IATS(ms)....: 10.5,1.4,0.1,0.0,11.4,0.5,9.5,113.3,10.6,140.6,0.1,0.1,3.1,0.2,0.6,0.2,1.3,0.2,1.3,3.6,0.2,0.4,0.2,2.3,0.2,0.3,0.2,0.8,0.2,0.7,0.2]
                    [PKTLENS.....: 128,120,1500,1500,588,120,289,120,572,120,1500,1500,874,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]
           analyse: [.....7] [ip4][..udp] [...192.168.22.4][40646] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -35,7 +35,7 @@
                    [BINS(c->s)..: 0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 10.3,0.3,11.5,0.2,0.0,1.3,10.0,41.8,81.5,0.4,150.8,3.1,0.8,1.5,1.4,3.8,0.6,2.5,0.5,1.0,0.9,0.8,0.7,0.8,0.7,2.1,0.3,0.4,2.3,0.4,0.2,0.0]
+                   [IATS(ms)....: 10.3,0.3,11.5,0.2,0.0,1.3,10.0,41.8,81.5,0.4,150.8,3.1,0.8,1.5,1.4,3.8,0.6,2.5,0.5,1.0,0.9,0.8,0.7,0.8,0.7,2.1,0.3,0.4,2.3,0.4,0.2]
                    [PKTLENS.....: 128,120,438,120,120,120,184,285,120,120,303,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120]
              idle: [.....5] [ip4][..udp] [...192.168.22.4][60351] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable]
              idle: [.....6] [ip4][..udp] [...192.168.22.5][50251] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable]
diff --git a/test/results/flow-info/wa_video.pcap.out b/test/results/flow-info/wa_video.pcap.out
index 3e5258b1c..4fefc2819 100644
--- a/test/results/flow-info/wa_video.pcap.out
+++ b/test/results/flow-info/wa_video.pcap.out
@@ -23,7 +23,7 @@
                    [BINS(c->s)..: 11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 51.7,176.8,0.0,439.6,1227.8,0.8,306.1,108.9,2404.5,0.2,0.0,0.3,0.0,0.0,0.3,133.1,0.6,40.7,0.3,7.7,7.9,1.7,1.6,528.8,1.1,0.7,0.7,0.7,2.7,2.6,0.0,0.0]
+                   [IATS(ms)....: 51.7,176.8,0.0,439.6,1227.8,0.8,306.1,108.9,2404.5,0.2,0.0,0.3,0.0,0.0,0.3,133.1,0.6,40.7,0.3,7.7,7.9,1.7,1.6,528.8,1.1,0.7,0.7,0.7,2.7,2.6]
                    [PKTLENS.....: 614,66,1454,169,522,522,346,203,239,1454,66,66,78,66,66,66,78,242,242,66,66,242,66,418,66,228,226,220,220,220,220,220]
           guessed: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable]
          detected: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable]
@@ -34,7 +34,7 @@
                    [BINS(c->s)..: 3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0]
-                   [IATS(ms)....: 0.1,13.1,1.1,548.2,0.8,550.1,16.2,0.1,20.3,0.1,23.6,0.6,14.5,1.0,0.1,79.3,29.6,0.1,23.2,0.2,20.0,0.3,24.4,3.5,104.4,150.5,15.9,197.6,75.4,2.5,68.2,0.0]
+                   [IATS(ms)....: 0.1,13.1,1.1,548.2,0.8,550.1,16.2,0.1,20.3,0.1,23.6,0.6,14.5,1.0,0.1,79.3,29.6,0.1,23.2,0.2,20.0,0.3,24.4,3.5,104.4,150.5,15.9,197.6,75.4,2.5,68.2]
                    [PKTLENS.....: 168,168,86,86,168,514,86,514,514,514,514,514,514,48,514,514,44,514,514,514,514,514,514,514,168,86,62,514,62,514,514,62]
               new: [.....9] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] 
          detected: [.....9] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable]
@@ -51,7 +51,7 @@
                    [BINS(c->s)..: 0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1]
-                   [IATS(ms)....: 707.1,619.8,619.1,1979.4,36.3,69.7,132.0,26.4,100.1,1.5,36.5,24.6,0.1,0.2,0.3,0.3,10.7,26.1,102.4,15.1,0.3,0.6,0.5,0.9,0.2,0.8,7.6,0.9,0.1,0.6,131.2,0.0]
+                   [IATS(ms)....: 707.1,619.8,619.1,1979.4,36.3,69.7,132.0,26.4,100.1,1.5,36.5,24.6,0.1,0.2,0.3,0.3,10.7,26.1,102.4,15.1,0.3,0.6,0.5,0.9,0.2,0.8,7.6,0.9,0.1,0.6,131.2]
                    [PKTLENS.....: 86,86,86,86,86,86,86,170,86,179,164,144,913,913,913,912,1160,208,157,212,1036,1036,1036,1036,1036,1034,164,934,934,934,1062,224]
               new: [....12] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] 
          detected: [....12] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable]
diff --git a/test/results/flow-info/wa_voice.pcap.out b/test/results/flow-info/wa_voice.pcap.out
index 142b38a44..7dd27a4da 100644
--- a/test/results/flow-info/wa_voice.pcap.out
+++ b/test/results/flow-info/wa_voice.pcap.out
@@ -20,7 +20,7 @@
                    [BINS(c->s)..: 11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1]
-                   [IATS(ms)....: 40.7,137.0,170.4,304.1,130.2,0.1,31.0,5.3,0.0,0.4,0.0,0.2,0.0,1.2,210.1,0.3,0.0,0.0,0.2,0.0,0.3,41.4,129.9,0.1,0.0,0.0,0.0,1.0,24.3,131.9,0.0,0.0]
+                   [IATS(ms)....: 40.7,137.0,170.4,304.1,130.2,0.1,31.0,5.3,0.0,0.4,0.0,0.2,0.0,1.2,210.1,0.3,0.0,0.0,0.2,0.0,0.3,41.4,129.9,0.1,0.0,0.0,0.0,1.0,24.3,131.9,0.0]
                    [PKTLENS.....: 78,74,66,322,66,123,117,151,1454,106,1454,169,1454,178,1454,66,66,66,66,66,66,66,1059,98,112,133,96,125,66,352,66,66]
               new: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] 
          detected: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] [DNS.WhatsAppFiles][Download][Acceptable]
@@ -35,7 +35,7 @@
                    [BINS(c->s)..: 10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0]
-                   [IATS(ms)....: 19.7,127.7,2.8,126.3,2.9,0.0,0.0,21.0,0.2,145.2,0.0,0.0,0.0,0.0,0.0,163.3,0.0,0.0,0.2,0.0,0.0,17.5,0.3,0.0,0.0,2.4,0.3,0.1,0.4,0.6,0.0,0.0]
+                   [IATS(ms)....: 19.7,127.7,2.8,126.3,2.9,0.0,0.0,21.0,0.2,145.2,0.0,0.0,0.0,0.0,0.0,163.3,0.0,0.0,0.2,0.0,0.0,17.5,0.3,0.0,0.0,2.4,0.3,0.1,0.4,0.6]
                    [PKTLENS.....: 78,74,66,583,66,1454,1454,349,66,66,130,112,109,101,402,325,66,237,140,97,66,114,498,66,66,66,66,1454,66,1454,1454,97]
               new: [.....8] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] 
          detected: [.....8] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable]
@@ -74,7 +74,7 @@
                    [BINS(c->s)..: 10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1]
-                   [IATS(ms)....: 37.2,39.0,11.1,51.5,1.0,0.1,0.0,42.8,0.1,34.6,3.8,0.4,0.2,0.3,76.2,0.0,34.9,0.4,0.3,3.6,0.0,2.9,1.3,3.4,77.4,53.7,129.1,1.4,0.0,0.2,0.1,0.0]
+                   [IATS(ms)....: 37.2,39.0,11.1,51.5,1.0,0.1,0.0,42.8,0.1,34.6,3.8,0.4,0.2,0.3,76.2,0.0,34.9,0.4,0.3,3.6,0.0,2.9,1.3,3.4,77.4,53.7,129.1,1.4,0.0,0.2,0.1]
                    [PKTLENS.....: 78,74,66,583,66,1454,1454,347,66,66,130,112,109,101,258,237,140,66,66,97,66,97,66,101,66,66,516,66,1454,1454,1454,1454]
               new: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] 
          detected: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable]
@@ -88,7 +88,7 @@
                    [BINS(c->s)..: 6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1]
-                   [IATS(ms)....: 0.1,13.4,0.1,12194.2,12196.2,104.4,0.1,105.1,0.0,108.6,104.6,3043.3,3048.9,3100.9,3096.0,3015.3,3016.6,2001.9,2.2,107.1,164.0,190.1,88.5,28.8,198.6,134.0,3008.1,91.0,35.6,0.3,36.5,0.0]
+                   [IATS(ms)....: 0.1,13.4,0.1,12194.2,12196.2,104.4,0.1,105.1,0.0,108.6,104.6,3043.3,3048.9,3100.9,3096.0,3015.3,3016.6,2001.9,2.2,107.1,164.0,190.1,88.5,28.8,198.6,134.0,3008.1,91.0,35.6,0.3,36.5]
                    [PKTLENS.....: 168,168,86,86,48,44,168,168,86,86,48,44,48,44,48,44,48,44,88,68,246,275,254,164,320,248,316,48,44,168,168,86]
               new: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] 
          detected: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] [STUN.WhatsAppCall][VoIP][Acceptable]
@@ -100,7 +100,7 @@
                    [BINS(c->s)..: 1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1]
-                   [IATS(ms)....: 578.2,623.6,1203.7,72.5,167.2,11.6,115.7,158.4,0.0,172.8,173.6,169.8,156.2,136.6,155.3,179.8,99.3,157.4,38.3,163.4,181.3,166.6,142.4,3.0,26.0,115.3,6.1,171.8,106.3,56.2,143.4,0.0]
+                   [IATS(ms)....: 578.2,623.6,1203.7,72.5,167.2,11.6,115.7,158.4,0.0,172.8,173.6,169.8,156.2,136.6,155.3,179.8,99.3,157.4,38.3,163.4,181.3,166.6,142.4,3.0,26.0,115.3,6.1,171.8,106.3,56.2,143.4]
                    [PKTLENS.....: 86,86,86,86,86,86,213,274,164,175,315,151,173,173,147,163,150,164,186,178,169,173,178,184,164,68,164,164,170,164,153,193]
  detection-update: [....12] [ip4][..udp] [...192.168.2.12][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable]
  detection-update: [....13] [ip6][..udp] [...............fe80::414:409d:8afd:9f05][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable]
diff --git a/test/results/flow-info/waze.pcap.out b/test/results/flow-info/waze.pcap.out
index a7d28ebf4..ec2ec66fb 100644
--- a/test/results/flow-info/waze.pcap.out
+++ b/test/results/flow-info/waze.pcap.out
@@ -71,7 +71,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 3.7,3.9,21.8,22.4,3678.0,3680.6,286.1,284.3,338.9,393.5,330.3,329.4,54.6,2.0,179.3,179.5,2.6,51.2,50.7,3.1,28.5,76.3,51.1,51.3,122.7,73.5,10.2,59.1,52.6,58.3,56.5,0.0]
+                   [IATS(ms)....: 3.7,3.9,21.8,22.4,3678.0,3680.6,286.1,284.3,338.9,393.5,330.3,329.4,54.6,2.0,179.3,179.5,2.6,51.2,50.7,3.1,28.5,76.3,51.1,51.3,122.7,73.5,10.2,59.1,52.6,58.3,56.5]
                    [PKTLENS.....: 74,54,54,317,54,1422,54,2790,54,5526,54,8262,54,2687,54,1422,54,1422,54,9630,54,2790,54,5526,54,5526,54,2790,54,11833,54,54]
           analyse: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -80,7 +80,7 @@
                    [BINS(c->s)..: 5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1]
-                   [IATS(ms)....: 1.2,10.9,357.2,367.1,474.4,475.3,8.1,9.0,265.9,317.7,52.0,0.9,0.6,0.3,0.3,1430.1,1483.3,119.5,172.8,51.4,51.9,1.4,0.9,0.5,0.4,0.3,0.4,1601.9,1658.8,0.2,57.1,0.0]
+                   [IATS(ms)....: 1.2,10.9,357.2,367.1,474.4,475.3,8.1,9.0,265.9,317.7,52.0,0.9,0.6,0.3,0.3,1430.1,1483.3,119.5,172.8,51.4,51.9,1.4,0.9,0.5,0.4,0.3,0.4,1601.9,1658.8,0.2,57.1]
                    [PKTLENS.....: 74,54,54,236,54,3201,54,380,54,288,203,54,590,54,115,54,5515,54,203,54,590,54,590,54,590,54,115,54,4411,54,203,54]
  detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] [TLS.Waze][Web][Acceptable]
                    RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher
@@ -134,7 +134,7 @@
                    [BINS(c->s)..: 12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1]
-                   [IATS(ms)....: 1.3,1.6,226.9,227.5,336.5,387.2,51.3,1.2,297.2,297.8,252.5,309.4,358.7,415.9,0.8,0.5,0.5,0.6,254.3,305.5,51.8,52.5,211.3,161.3,248.0,249.1,81.3,79.5,208.7,209.7,0.6,0.0]
+                   [IATS(ms)....: 1.3,1.6,226.9,227.5,336.5,387.2,51.3,1.2,297.2,297.8,252.5,309.4,358.7,415.9,0.8,0.5,0.5,0.6,254.3,305.5,51.8,52.5,211.3,161.3,248.0,249.1,81.3,79.5,208.7,209.7,0.6]
                    [PKTLENS.....: 74,54,54,236,54,1422,54,2177,54,188,54,288,54,203,54,590,54,77,54,1422,54,12366,54,5526,54,21942,54,11359,54,54,54,54]
           analyse: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] 
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -143,7 +143,7 @@
                    [BINS(c->s)..: 12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0]
-                   [IATS(ms)....: 2.4,2.8,291.8,292.5,279.8,332.4,52.7,50.7,425.1,475.7,259.9,310.7,0.7,51.4,0.6,0.7,0.5,0.3,293.9,546.0,252.8,1.5,20.2,21.2,56.9,56.8,156.2,205.9,52.7,4.2,1449.2,0.0]
+                   [IATS(ms)....: 2.4,2.8,291.8,292.5,279.8,332.4,52.7,50.7,425.1,475.7,259.9,310.7,0.7,51.4,0.6,0.7,0.5,0.3,293.9,546.0,252.8,1.5,20.2,21.2,56.9,56.8,156.2,205.9,52.7,4.2,1449.2]
                    [PKTLENS.....: 74,54,54,236,54,1066,54,2533,54,188,54,288,54,590,54,403,54,91,54,10174,54,8150,54,1066,54,11186,54,1066,54,6590,54,54]
  detection-update: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] [TLS.Waze][Web][Acceptable]
                    RISK: Obsolete TLS (v1.1 or older)
@@ -154,7 +154,7 @@
                    [BINS(c->s)..: 10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]
-                   [IATS(ms)....: 9.1,9.5,461.2,462.1,319.2,370.8,51.5,0.6,58.7,59.3,267.3,318.5,5838.7,5890.9,1.9,3.1,232.7,285.9,1892.6,1892.4,50.9,52.2,293.0,345.1,0.6,0.4,1258.6,1310.0,5014.8,5014.5,51.5,0.0]
+                   [IATS(ms)....: 9.1,9.5,461.2,462.1,319.2,370.8,51.5,0.6,58.7,59.3,267.3,318.5,5838.7,5890.9,1.9,3.1,232.7,285.9,1892.6,1892.4,50.9,52.2,293.0,345.1,0.6,0.4,1258.6,1310.0,5014.8,5014.5,51.5]
                    [PKTLENS.....: 74,54,54,236,54,1066,54,2189,54,380,54,288,54,235,54,555,54,107,54,1066,54,3660,54,203,54,315,54,331,54,91,54,54]
               new: [....31] [ip4][..tcp] [.......10.8.0.1][36134] -> [..46.51.173.182][..443] 
          detected: [....31] [ip4][..tcp] [.......10.8.0.1][36134] -> [..46.51.173.182][..443] [TLS.AmazonAWS][Cloud][Acceptable]
diff --git a/test/results/flow-info/webex.pcap.out b/test/results/flow-info/webex.pcap.out
index 71c6b6072..aed878e15 100644
--- a/test/results/flow-info/webex.pcap.out
+++ b/test/results/flow-info/webex.pcap.out
@@ -13,7 +13,7 @@
                    [BINS(c->s)..: 9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0]
-                   [IATS(ms)....: 6.5,6.7,0.2,0.6,505.7,557.3,57.9,60.1,0.9,55.6,257.5,309.3,10.1,61.4,0.8,0.7,299.2,351.3,56.0,56.2,0.8,52.9,0.4,2.8,268.6,322.3,52.3,51.9,18.4,69.5,0.5,0.0]
+                   [IATS(ms)....: 6.5,6.7,0.2,0.6,505.7,557.3,57.9,60.1,0.9,55.6,257.5,309.3,10.1,61.4,0.8,0.7,299.2,351.3,56.0,56.2,0.8,52.9,0.4,2.8,268.6,322.3,52.3,51.9,18.4,69.5,0.5]
                    [PKTLENS.....: 74,54,54,249,54,2774,54,1273,54,364,54,97,54,590,54,138,54,1414,54,823,54,590,54,328,54,1414,54,762,54,590,54,518]
  detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 5.6,6.8,0.2,1.5,404.7,455.3,0.6,51.3,245.8,245.9,0.4,0.3,223.3,274.8,51.6,0.4,0.3,283.1,286.1,84.1,131.8,50.9,51.2,56.8,56.7,181.0,181.0,56.1,58.6,54.5,58.4,0.0]
+                   [IATS(ms)....: 5.6,6.8,0.2,1.5,404.7,455.3,0.6,51.3,245.8,245.9,0.4,0.3,223.3,274.8,51.6,0.4,0.3,283.1,286.1,84.1,131.8,50.9,51.2,56.8,56.7,181.0,181.0,56.1,58.6,54.5,58.4]
                    [PKTLENS.....: 74,54,54,281,54,183,54,97,54,590,54,533,54,1658,590,54,503,54,6854,54,1414,54,9477,54,1414,54,1414,54,18020,54,6871,54]
               new: [.....5] [ip4][..tcp] [..10.133.206.47][54651] -> [..185.63.147.10][..443] [MIDSTREAM] 
               new: [.....6] [ip4][..tcp] [..10.133.206.47][59447] -> [..107.20.242.44][..443] [MIDSTREAM] 
@@ -65,7 +65,7 @@
                    [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 3.1,3.2,1.9,2.2,397.0,448.1,52.0,52.1,0.4,52.4,209.8,261.8,51.8,1.3,1.0,979.9,1031.5,52.6,53.5,94.1,93.8,53.1,53.9,119.1,117.5,148.4,147.8,51.4,51.4,96.7,96.6,0.0]
+                   [IATS(ms)....: 3.1,3.2,1.9,2.2,397.0,448.1,52.0,52.1,0.4,52.4,209.8,261.8,51.8,1.3,1.0,979.9,1031.5,52.6,53.5,94.1,93.8,53.1,53.9,119.1,117.5,148.4,147.8,51.4,51.4,96.7,96.6]
                    [PKTLENS.....: 74,54,54,117,54,1414,54,2633,54,380,54,113,590,54,88,54,1414,54,8171,54,1414,54,8901,54,187,54,1414,54,6731,54,1414,54]
               new: [....10] [ip4][..tcp] [.......10.8.0.1][41726] -> [.114.29.213.212][..443] 
               new: [....11] [ip4][..tcp] [.......10.8.0.1][51646] -> [..114.29.204.49][..443] 
@@ -198,7 +198,7 @@
                    [BINS(c->s)..: 13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 14.2,16.6,0.1,3.2,966.8,968.2,50.6,52.1,160.0,217.3,56.9,151.8,203.4,506.4,456.2,506.1,506.2,258.0,307.3,51.0,1.8,210.7,261.7,55.5,54.3,51.9,51.3,2214.6,2165.1,3.2,2.9,0.0]
+                   [IATS(ms)....: 14.2,16.6,0.1,3.2,966.8,968.2,50.6,52.1,160.0,217.3,56.9,151.8,203.4,506.4,456.2,506.1,506.2,258.0,307.3,51.0,1.8,210.7,261.7,55.5,54.3,51.9,51.3,2214.6,2165.1,3.2,2.9]
                    [PKTLENS.....: 74,54,54,117,54,3961,54,380,54,113,528,54,272,54,1024,54,10581,54,171,54,288,54,123,54,219,54,399,54,560,54,602,54]
  detection-update: [....39] [ip4][..tcp] [.......10.8.0.1][55665] -> [..173.243.0.110][..443] [TLS.Webex][VoIP][Acceptable]
                    RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher
@@ -209,7 +209,7 @@
                    [BINS(c->s)..: 3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 9.1,24.1,0.4,16.5,915.3,917.4,50.7,52.7,154.6,206.6,52.4,7.9,9.4,3.3,2.1,963.3,962.0,0.5,0.4,0.4,0.3,562.0,562.1,368.6,368.5,0.7,0.6,2270.1,2270.1,1.0,1.0,0.0]
+                   [IATS(ms)....: 9.1,24.1,0.4,16.5,915.3,917.4,50.7,52.7,154.6,206.6,52.4,7.9,9.4,3.3,2.1,963.3,962.0,0.5,0.4,0.4,0.3,562.0,562.1,368.6,368.5,0.7,0.6,2270.1,2270.1,1.0,1.0]
                    [PKTLENS.....: 74,54,54,117,54,3961,54,380,54,113,560,54,590,54,136,54,590,54,590,54,400,54,400,54,590,54,168,54,590,54,264,54]
               new: [....40] [ip4][..tcp] [.......10.8.0.1][51833] -> [.62.109.229.158][..443] 
          detected: [....40] [ip4][..tcp] [.......10.8.0.1][51833] -> [.62.109.229.158][..443] [TLS.Webex][VoIP][Acceptable]
@@ -279,7 +279,7 @@
                    [BINS(c->s)..: 7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1]
-                   [IATS(ms)....: 4.2,5.0,6.4,7.6,1312.6,1366.7,17.5,71.4,145.7,199.0,0.3,53.7,129.5,180.9,0.2,51.5,121.2,172.3,51.5,51.2,125.5,176.2,50.8,50.8,0.5,1.0,264.3,263.8,0.8,0.9,1006.9,0.0]
+                   [IATS(ms)....: 4.2,5.0,6.4,7.6,1312.6,1366.7,17.5,71.4,145.7,199.0,0.3,53.7,129.5,180.9,0.2,51.5,121.2,172.3,51.5,51.2,125.5,176.2,50.8,50.8,0.5,1.0,264.3,263.8,0.8,0.9,1006.9]
                    [PKTLENS.....: 74,54,54,241,54,3961,54,380,54,113,54,128,54,91,54,432,54,123,54,543,54,144,54,208,54,176,54,176,54,160,54,123]
               new: [....55] [ip4][..tcp] [.......10.8.0.1][51190] -> [.62.109.224.120][..443] 
          detected: [....55] [ip4][..tcp] [.......10.8.0.1][51190] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable]
diff --git a/test/results/flow-info/wechat.pcap.out b/test/results/flow-info/wechat.pcap.out
index 428b72691..da440c010 100644
--- a/test/results/flow-info/wechat.pcap.out
+++ b/test/results/flow-info/wechat.pcap.out
@@ -47,7 +47,7 @@
                    [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0]
-                   [IATS(ms)....: 361.6,361.6,0.4,378.1,3.6,381.3,56.9,56.9,0.3,0.3,2.7,376.6,375.0,3.3,373.8,38.3,2.8,410.6,21.2,3.3,393.4,30.9,401.1,383.7,0.8,383.1,2.9,2.9,5.8,1.1,1.1,0.0]
+                   [IATS(ms)....: 361.6,361.6,0.4,378.1,3.6,381.3,56.9,56.9,0.3,0.3,2.7,376.6,375.0,3.3,373.8,38.3,2.8,410.6,21.2,3.3,393.4,30.9,401.1,383.7,0.8,383.1,2.9,2.9,5.8,1.1,1.1]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,233,66,1239,443,66,264,1154,1494,1494,66,1494,1494,66,5892,66]
  detection-update: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
  detection-update: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
@@ -79,7 +79,7 @@
                    [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0]
-                   [IATS(ms)....: 359.2,359.3,0.4,360.6,1.9,362.1,0.5,0.5,3.6,359.7,357.1,3.3,369.2,32.8,2.8,400.5,15.0,3.3,382.0,38.0,403.1,2.4,369.1,37.0,438.8,4139.7,3.3,4544.3,34.1,398.8,1152.6,0.0]
+                   [IATS(ms)....: 359.2,359.3,0.4,360.6,1.9,362.1,0.5,0.5,3.6,359.7,357.1,3.3,369.2,32.8,2.8,400.5,15.0,3.3,382.0,38.0,403.1,2.4,369.1,37.0,438.8,4139.7,3.3,4544.3,34.1,398.8,1152.6]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,235,66,1239,443,66,264,1306,541,66,1002,66,1306,541,66,1003,66,1234]
           analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -88,7 +88,7 @@
                    [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0]
-                   [IATS(ms)....: 353.8,353.8,953.1,1178.1,225.0,127.7,4.4,132.2,0.5,0.4,0.6,0.6,1.5,362.2,361.1,371.0,4.6,375.1,3.3,3.3,3017.9,3.3,3383.9,31.2,409.0,7.4,382.2,34.6,434.3,1926.0,3.4,0.0]
+                   [IATS(ms)....: 353.8,353.8,953.1,1178.1,225.0,127.7,4.4,132.2,0.5,0.4,0.6,0.6,1.5,362.2,361.1,371.0,4.6,375.1,3.3,3.3,3017.9,3.3,3383.9,31.2,409.0,7.4,382.2,34.6,434.3,1926.0,3.4]
                    [PKTLENS.....: 74,74,66,304,74,66,66,1494,66,1494,66,326,66,192,117,1153,1494,1494,66,8291,66,1306,541,66,1377,1239,443,66,264,66,1306,541]
           analyse: [....13] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54058] [TLS][Web][Safe]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -97,7 +97,7 @@
                    [BINS(c->s)..: 8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]
-                   [IATS(ms)....: 0.1,1713.3,2033.8,5.9,326.4,805.5,1165.4,11414.5,11774.4,393.6,716.6,9325.0,9648.0,1906.3,2225.8,6.4,325.8,425.7,784.5,2983.4,3342.3,487.8,806.7,9.2,328.1,421.5,782.1,1181.7,1542.3,420.6,740.0,0.0]
+                   [IATS(ms)....: 0.1,1713.3,2033.8,5.9,326.4,805.5,1165.4,11414.5,11774.4,393.6,716.6,9325.0,9648.0,1906.3,2225.8,6.4,325.8,425.7,784.5,2983.4,3342.3,487.8,806.7,9.2,328.1,421.5,782.1,1181.7,1542.3,420.6,740.0]
                    [PKTLENS.....: 264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66]
            update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable]
            update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable]
@@ -122,7 +122,7 @@
                    [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]
-                   [IATS(ms)....: 362.7,362.7,0.7,359.8,0.7,359.7,1.8,1.8,3.2,360.0,358.1,7.2,373.9,64.6,431.4,4.5,369.6,40.0,442.3,4042.2,3.3,4448.9,74.4,439.2,6493.5,3.3,6862.2,32.1,397.5,4719.1,3.2,0.0]
+                   [IATS(ms)....: 362.7,362.7,0.7,359.8,0.7,359.7,1.8,1.8,3.2,360.0,358.1,7.2,373.9,64.6,431.4,4.5,369.6,40.0,442.3,4042.2,3.3,4448.9,74.4,439.2,6493.5,3.3,6862.2,32.1,397.5,4719.1,3.2]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1234,535,66,297,1306,541,66,1002,66,1234,525,66,297,66,1306,541,66,1003,66,1234,530]
           analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -131,7 +131,7 @@
                    [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1]
-                   [IATS(ms)....: 346.8,346.9,899.5,1092.8,193.2,160.5,1.8,162.3,0.6,0.5,2.9,351.9,387.2,4178.9,3.3,4577.7,29.2,386.6,5733.7,3.7,6095.0,83.0,440.7,5485.5,3.3,5845.9,30.2,387.3,1889.1,2.7,2250.0,0.0]
+                   [IATS(ms)....: 346.8,346.9,899.5,1092.8,193.2,160.5,1.8,162.3,0.6,0.5,2.9,351.9,387.2,4178.9,3.3,4577.7,29.2,386.6,5733.7,3.7,6095.0,83.0,440.7,5485.5,3.3,5845.9,30.2,387.3,1889.1,2.7,2250.0]
                    [PKTLENS.....: 74,74,66,304,74,66,66,1494,66,1754,66,192,117,66,1306,541,66,1003,66,1234,522,66,297,66,1306,541,66,1003,66,1234,527,66]
           analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Web][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -140,7 +140,7 @@
                    [BINS(c->s)..: 10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1]
-                   [IATS(ms)....: 48.2,48.2,0.2,52.5,0.7,53.0,2.4,2.4,0.5,0.5,4.5,7.9,13.6,51.2,2.8,0.1,28.0,0.3,26.1,2.8,10.1,38.9,0.4,0.8,0.2,45.4,2.8,45043.9,45047.5,45056.0,45052.9,0.0]
+                   [IATS(ms)....: 48.2,48.2,0.2,52.5,0.7,53.0,2.4,2.4,0.5,0.5,4.5,7.9,13.6,51.2,2.8,0.1,28.0,0.3,26.1,2.8,10.1,38.9,0.4,0.8,0.2,45.4,2.8,45043.9,45047.5,45056.0,45052.9]
                    [PKTLENS.....: 74,74,66,288,66,1484,66,1484,66,1442,66,151,111,895,336,114,100,66,96,66,96,572,66,104,104,100,66,66,66,66,66,66]
               new: [....28] [ip4][....2] [..192.168.1.254] -> [......224.0.0.1] 
          detected: [....28] [ip4][....2] [..192.168.1.254] -> [......224.0.0.1] [IGMP][Network][Acceptable]
@@ -182,7 +182,7 @@
                    [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 366.1,366.2,0.5,368.6,0.8,368.9,8.2,8.2,3.1,367.9,365.6,3.2,378.7,92.7,2.0,469.4,27.8,1.7,407.1,30.0,408.6,3.8,397.8,10.9,404.7,396.0,0.8,396.2,0.5,1.2,1.8,0.0]
+                   [IATS(ms)....: 366.1,366.2,0.5,368.6,0.8,368.9,8.2,8.2,3.1,367.9,365.6,3.2,378.7,92.7,2.0,469.4,27.8,1.7,407.1,30.0,408.6,3.8,397.8,10.9,404.7,396.0,0.8,396.2,0.5,1.2,1.8]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,344,66,1239,443,66,264,1239,443,66,264,1154,1494,1494,66,1494,1494,66]
          detected: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
  detection-update: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
@@ -194,7 +194,7 @@
                    [BINS(c->s)..: 11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1]
-                   [IATS(ms)....: 360.8,360.9,1.1,320.2,2.0,321.1,0.8,0.8,0.5,0.5,2.5,331.8,329.8,339.6,0.8,339.8,0.5,4.5,5.1,2.5,2.5,1.1,1.1,271.4,646.7,0.8,376.1,0.5,0.9,1.5,0.5,0.0]
+                   [IATS(ms)....: 360.8,360.9,1.1,320.2,2.0,321.1,0.8,0.8,0.5,0.5,2.5,331.8,329.8,339.6,0.8,339.8,0.5,4.5,5.1,2.5,2.5,1.1,1.1,271.4,646.7,0.8,376.1,0.5,0.9,1.5,0.5]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1154,1494,1494,66,1494,1494,66,2922,66,3134,66,1154,1494,1494,66,1494,1494,66,1494]
  detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
           analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun]
@@ -204,7 +204,7 @@
                    [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1]
-                   [IATS(ms)....: 378.9,379.0,0.4,354.0,2.4,356.0,2.8,2.8,1.0,367.4,367.3,4.4,365.8,31.1,394.9,3.2,367.9,55.9,2.8,420.1,17.9,0.8,381.3,34.8,434.3,543.1,951.7,371.6,0.5,0.5,1.3,0.0]
+                   [IATS(ms)....: 378.9,379.0,0.4,354.0,2.4,356.0,2.8,2.8,1.0,367.4,367.3,4.4,365.8,31.1,394.9,3.2,367.9,55.9,2.8,420.1,17.9,0.8,381.3,34.8,434.3,543.1,951.7,371.6,0.5,0.5,1.3]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1239,443,66,264,1306,541,66,1494,230,66,1239,443,66,264,66,1154,1494,66,1494,66,1494]
           guessed: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] [TLS][Web][Safe]
               end: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] 
@@ -268,7 +268,7 @@
                    [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1]
-                   [IATS(ms)....: 315.2,315.3,0.4,318.4,1.9,319.8,0.5,0.5,1.1,1.1,2.6,316.6,315.1,4.6,327.3,29.7,2.7,353.9,21.7,4.6,350.0,32.2,392.6,18.0,3.3,380.6,36.9,359.5,6259.0,6615.4,265.6,0.0]
+                   [IATS(ms)....: 315.2,315.3,0.4,318.4,1.9,319.8,0.5,0.5,1.1,1.1,2.6,316.6,315.1,4.6,327.3,29.7,2.7,353.9,21.7,4.6,350.0,32.2,392.6,18.0,3.3,380.6,36.9,359.5,6259.0,6615.4,265.6]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,264,66,1306,541,66,1003,66,1127,66,1494]
  detection-update: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun]
                    RISK: Weak TLS Cipher
@@ -302,7 +302,7 @@
                    [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0]
-                   [IATS(ms)....: 325.2,325.3,0.5,328.0,0.7,328.2,0.4,0.4,3.9,3.9,2.7,325.9,324.6,3.2,337.6,77.1,411.9,3.8,340.3,28.0,402.7,7430.7,3.8,7807.0,79.9,412.5,2.9,0.4,340.1,30.3,405.8,0.0]
+                   [IATS(ms)....: 325.2,325.3,0.5,328.0,0.7,328.2,0.4,0.4,3.9,3.9,2.7,325.9,324.6,3.2,337.6,77.1,411.9,3.8,340.3,28.0,402.7,7430.7,3.8,7807.0,79.9,412.5,2.9,0.4,340.1,30.3,405.8]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1234,538,66,297,1306,541,66,1002,66,1234,533,66,297,66,1306,541,66,1003,66]
           analyse: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -311,7 +311,7 @@
                    [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 0.3,1000.4,2000.4,14687.4,0.3,1000.2,2000.4,21831.6,0.4,1000.5,2000.8,26318.9,0.4,1000.3,2000.5,41917.2,0.4,1000.2,2000.7,183800.6,0.4,1000.9,2001.0,33299.7,0.4,1000.7,2000.5,29037.0,0.3,1000.2,2000.7,0.0]
+                   [IATS(ms)....: 0.3,1000.4,2000.4,14687.4,0.3,1000.2,2000.4,21831.6,0.4,1000.5,2000.8,26318.9,0.4,1000.3,2000.5,41917.2,0.4,1000.2,2000.7,183800.6,0.4,1000.9,2001.0,33299.7,0.4,1000.7,2000.5,29037.0,0.3,1000.2,2000.7]
                    [PKTLENS.....: 82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82]
           analyse: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -320,7 +320,7 @@
                    [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 0.3,1000.4,2000.4,14687.4,0.3,1000.3,2000.4,21831.5,0.4,1000.6,2000.8,26318.9,0.4,1000.4,2000.5,41917.1,0.3,1000.2,2000.8,183800.4,0.3,1001.0,2001.0,33299.7,0.4,1000.7,2000.5,29036.9,0.3,1000.3,2000.7,0.0]
+                   [IATS(ms)....: 0.3,1000.4,2000.4,14687.4,0.3,1000.3,2000.4,21831.5,0.4,1000.6,2000.8,26318.9,0.4,1000.4,2000.5,41917.1,0.3,1000.2,2000.8,183800.4,0.3,1001.0,2001.0,33299.7,0.4,1000.7,2000.5,29036.9,0.3,1000.3,2000.7]
                    [PKTLENS.....: 102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102]
               new: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] 
               new: [....53] [ip4][..tcp] [..192.168.1.103][54120] -> [203.205.151.162][..443] 
@@ -341,7 +341,7 @@
                    [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0]
-                   [IATS(ms)....: 356.2,356.2,0.4,353.3,0.7,353.6,0.7,0.7,0.3,0.3,2.4,365.6,364.5,5.6,381.3,26.7,2.8,403.9,13.5,5.0,378.8,57.2,418.9,4.2,370.5,28.2,433.2,6695.6,7132.7,143.5,540.7,0.0]
+                   [IATS(ms)....: 356.2,356.2,0.4,353.3,0.7,353.6,0.7,0.7,0.3,0.3,2.4,365.6,364.5,5.6,381.3,26.7,2.8,403.9,13.5,5.0,378.8,57.2,418.9,4.2,370.5,28.2,433.2,6695.6,7132.7,143.5,540.7]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,263,1306,541,66,1003,66,1127,66,1494,66]
           guessed: [....37] [ip4][..tcp] [..192.168.1.103][54109] -> [203.205.151.162][..443] [TLS][Web][Safe]
               end: [....37] [ip4][..tcp] [..192.168.1.103][54109] -> [203.205.151.162][..443] 
@@ -373,7 +373,7 @@
                    [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]
-                   [IATS(ms)....: 266.6,266.7,0.4,272.2,1.3,273.1,0.6,0.6,2.9,271.8,269.6,3.2,281.4,29.7,327.6,3.2,299.6,37.4,350.9,50.9,3.2,368.6,30.2,307.1,2227.6,3.2,2508.5,50.9,328.7,16.1,3.1,0.0]
+                   [IATS(ms)....: 266.6,266.7,0.4,272.2,1.3,273.1,0.6,0.6,2.9,271.8,269.6,3.2,281.4,29.7,327.6,3.2,299.6,37.4,350.9,50.9,3.2,368.6,30.2,307.1,2227.6,3.2,2508.5,50.9,328.7,16.1,3.1]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1371,1239,443,66,264,66,1306,541,66,1004,66,1306,541,66,1381,66,1239,443]
           guessed: [....41] [ip4][..tcp] [..192.168.1.103][54106] -> [203.205.151.162][..443] [TLS][Web][Safe]
               end: [....41] [ip4][..tcp] [..192.168.1.103][54106] -> [203.205.151.162][..443] 
@@ -450,7 +450,7 @@
                    [BINS(c->s)..: 7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0]
                    [BINS(s->c)..: 6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0]
-                   [IATS(ms)....: 268.3,268.4,0.5,270.4,0.8,270.7,0.4,0.4,1.0,1.0,2.8,273.1,271.4,0.2,0.0,0.0,0.0,0.0,1.2,289.4,22.8,22.4,9.7,380.7,1255.6,5.0,1577.0,73.3,351.0,6.0,3.3,0.0]
+                   [IATS(ms)....: 268.3,268.4,0.5,270.4,0.8,270.7,0.4,0.4,1.0,1.0,2.8,273.1,271.4,0.2,0.0,0.0,0.0,0.0,1.2,289.4,22.8,22.4,9.7,380.7,1255.6,5.0,1577.0,73.3,351.0,6.0,3.3]
                    [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1246,1494,1494,1494,1494,1494,329,66,66,66,157,66,1234,527,66,297,66,1306,541]
  detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun]
          detected: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun]
diff --git a/test/results/flow-info/weibo.pcap.out b/test/results/flow-info/weibo.pcap.out
index c91383ed0..1dde002ab 100644
--- a/test/results/flow-info/weibo.pcap.out
+++ b/test/results/flow-info/weibo.pcap.out
@@ -29,7 +29,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 29.2,29.2,0.3,28.2,454.5,482.4,0.1,0.1,13.2,13.2,0.1,0.0,0.0,0.0,8.4,8.4,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,15.4,15.4,68.3,68.3,0.1,0.0,54.8,0.0]
+                   [IATS(ms)....: 29.2,29.2,0.3,28.2,454.5,482.4,0.1,0.1,13.2,13.2,0.1,0.0,0.0,0.0,8.4,8.4,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,15.4,15.4,68.3,68.3,0.1,0.0,54.8]
                    [PKTLENS.....: 74,74,66,516,66,71,78,1502,78,1502,78,68,86,1078,78,72,78,2938,78,294,86,68,86,1502,78,819,66,72,66,1502,66,1502]
               new: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] 
          detected: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun]
@@ -50,7 +50,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 26.8,26.8,0.2,31.4,283.1,314.3,2.6,2.6,16.7,16.7,12.8,12.8,0.1,0.0,45.7,45.8,5.1,5.0,71.0,71.0,5.5,5.5,32.3,32.3,43.0,43.0,3.2,3.2,2.5,2.5,2.8,0.0]
+                   [IATS(ms)....: 26.8,26.8,0.2,31.4,283.1,314.3,2.6,2.6,16.7,16.7,12.8,12.8,0.1,0.0,45.7,45.8,5.1,5.0,71.0,71.0,5.5,5.5,32.3,32.3,43.0,43.0,3.2,3.2,2.5,2.5,2.8]
                    [PKTLENS.....: 74,74,66,498,66,580,66,1502,66,2938,66,1502,66,1078,78,1502,66,893,66,580,78,2938,78,1502,78,1502,78,1502,78,1502,78,1502]
           analyse: [....16] [ip4][..tcp] [..192.168.1.105][35803] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -59,7 +59,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 26.7,26.8,0.2,28.2,372.4,400.5,6.7,6.7,6.6,6.6,15.5,15.5,6.6,6.6,9.2,9.2,23.4,23.4,49.3,49.3,71.7,71.7,3.3,3.3,2.9,2.9,2.8,2.8,5.5,5.5,3.7,0.0]
+                   [IATS(ms)....: 26.7,26.8,0.2,28.2,372.4,400.5,6.7,6.7,6.6,6.6,15.5,15.5,6.6,6.6,9.2,9.2,23.4,23.4,49.3,49.3,71.7,71.7,3.3,3.3,2.9,2.9,2.8,2.8,5.5,5.5,3.7]
                    [PKTLENS.....: 74,74,66,486,66,581,66,1502,66,4374,66,1502,66,4374,66,2938,66,581,78,581,78,1502,66,1502,66,1502,78,1502,78,1502,78,1502]
               new: [....20] [ip4][..udp] [..192.168.1.105][18035] -> [....192.168.1.1][...53] 
          detected: [....20] [ip4][..udp] [..192.168.1.105][18035] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun]
@@ -115,7 +115,7 @@
                    [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 26.8,26.8,0.3,31.4,276.1,307.3,6.9,6.9,153.9,153.9,2.9,2.9,375.9,438.8,4.4,67.2,2.9,3.0,31.5,31.4,138.5,138.5,6.1,6.1,4.5,4.5,193.5,193.5,28.8,28.7,2.7,0.0]
+                   [IATS(ms)....: 26.8,26.8,0.3,31.4,276.1,307.3,6.9,6.9,153.9,153.9,2.9,2.9,375.9,438.8,4.4,67.2,2.9,3.0,31.5,31.4,138.5,138.5,6.1,6.1,4.5,4.5,193.5,193.5,28.8,28.7,2.7]
                    [PKTLENS.....: 74,74,66,476,66,577,66,1026,66,577,78,1026,78,525,66,494,66,1502,66,494,78,1502,66,1502,66,1502,66,1502,78,1502,66,1502]
           analyse: [....26] [ip4][..tcp] [..192.168.1.105][35807] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -124,7 +124,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 62.2,62.2,0.1,161.1,22.7,183.7,5.7,5.7,2.6,2.5,10.5,10.6,5.2,5.3,3.2,3.2,2.5,2.4,5.5,5.5,2.9,2.9,2.6,2.6,4.8,4.8,162.1,162.1,26.3,26.3,3.1,0.0]
+                   [IATS(ms)....: 62.2,62.2,0.1,161.1,22.7,183.7,5.7,5.7,2.6,2.5,10.5,10.6,5.2,5.3,3.2,3.2,2.5,2.4,5.5,5.5,2.9,2.9,2.6,2.6,4.8,4.8,162.1,162.1,26.3,26.3,3.1]
                    [PKTLENS.....: 74,74,66,550,66,493,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,493,78,1502,66,1502]
           analyse: [....28] [ip4][..tcp] [..192.168.1.105][35809] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun]
                                         min|      max|      avg|   stddev| variance|  entropy
@@ -133,7 +133,7 @@
                    [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 50.2,50.2,0.1,181.5,70.9,252.2,2.7,2.7,2.6,2.5,4.2,4.3,31.8,31.8,8.1,8.1,11.4,11.4,8.7,8.7,2.6,2.6,7.1,7.1,13.6,13.6,66.3,66.3,92.4,92.4,2.8,0.0]
+                   [IATS(ms)....: 50.2,50.2,0.1,181.5,70.9,252.2,2.7,2.7,2.6,2.5,4.2,4.3,31.8,31.8,8.1,8.1,11.4,11.4,8.7,8.7,2.6,2.6,7.1,7.1,13.6,13.6,66.3,66.3,92.4,92.4,2.8]
                    [PKTLENS.....: 74,74,66,539,66,507,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,507,78,1502,66,1502]
              idle: [....30] [ip4][..tcp] [..192.168.1.105][42275] -> [...222.73.28.96][...80] 
           guessed: [....37] [ip4][..tcp] [..192.168.1.105][42280] -> [...222.73.28.96][...80] [HTTP][Web][Acceptable]
diff --git a/test/results/flow-info/whatsapp_login_call.pcap.out b/test/results/flow-info/whatsapp_login_call.pcap.out
index eed131e81..6cbeecb72 100644
--- a/test/results/flow-info/whatsapp_login_call.pcap.out
+++ b/test/results/flow-info/whatsapp_login_call.pcap.out
@@ -36,7 +36,7 @@
                    [BINS(c->s)..: 9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]
                    [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1]
-                   [IATS(ms)....: 281.8,283.2,8.7,294.4,1.1,0.0,286.0,0.8,0.5,0.6,39.8,0.2,0.3,326.4,1.4,0.4,3.0,289.9,5.8,0.5,0.0,317.5,1.9,68.9,0.6,382.6,405.2,0.7,0.0,712.5,2.0,0.0]
+                   [IATS(ms)....: 281.8,283.2,8.7,294.4,1.1,0.0,286.0,0.8,0.5,0.6,39.8,0.2,0.3,326.4,1.4,0.4,3.0,289.9,5.8,0.5,0.0,317.5,1.9,68.9,0.6,382.6,405.2,0.7,0.0,712.5,2.0]
                    [PKTLENS.....: 78,66,54,244,1494,1494,585,54,54,54,54,321,60,91,54,54,54,97,54,1494,1494,167,54,54,1494,1210,54,1494,1494,167,54,54]
  detection-update: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] [TLS.Apple][Web][Safe]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -48,7 +48,7 @@
                    [BINS(c->s)..: 9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0]
-                   [IATS(ms)....: 153.9,242.2,244.8,708.1,709.4,35.6,213.2,0.3,145.7,325.0,262.8,250.3,148.2,98.4,249.4,163.4,164.5,351.1,174.0,178.0,0.0,178.3,0.3,171.7,0.0,302.7,0.3,301.9,0.0,204.0,0.0,0.0]
+                   [IATS(ms)....: 153.9,242.2,244.8,708.1,709.4,35.6,213.2,0.3,145.7,325.0,262.8,250.3,148.2,98.4,249.4,163.4,164.5,351.1,174.0,178.0,0.0,178.3,0.3,171.7,0.0,302.7,0.3,301.9,0.0,204.0]
                    [PKTLENS.....: 78,74,66,66,232,144,87,66,66,267,98,85,87,66,241,98,66,132,98,198,98,98,200,66,99,99,266,66,99,99,99,132]
          detected: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe]
                    RISK: TLS (probably) Not Carrying HTTPS
@@ -61,7 +61,7 @@
                    [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]
-                   [IATS(ms)....: 139.3,206.5,8.2,215.7,0.1,2.7,195.5,0.8,0.3,0.0,1.9,0.3,2.1,191.6,2.4,13.1,3.7,6.4,14.7,0.0,200.9,0.3,63.3,0.3,2.2,246.3,5.3,14.9,0.0,241.0,0.2,0.0]
+                   [IATS(ms)....: 139.3,206.5,8.2,215.7,0.1,2.7,195.5,0.8,0.3,0.0,1.9,0.3,2.1,191.6,2.4,13.1,3.7,6.4,14.7,0.0,200.9,0.3,63.3,0.3,2.2,246.3,5.3,14.9,0.0,241.0,0.2]
                    [PKTLENS.....: 78,66,54,281,54,146,91,54,54,60,91,1494,531,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]
               new: [....18] [ip4][..tcp] [....192.168.2.4][49192] -> [...93.186.135.8][...80] [MIDSTREAM] 
               new: [....19] [ip4][..tcp] [....192.168.2.4][49191] -> [..17.172.100.49][..443] [MIDSTREAM] 
@@ -106,7 +106,7 @@
                    [BINS(c->s)..: 1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1]
-                   [IATS(ms)....: 85.5,95.2,66.1,60.4,102.7,208.4,184.1,159.6,139.1,188.5,352.4,23.4,152.9,55.1,31.1,91.6,0.1,141.2,0.0,163.2,159.2,188.6,161.9,163.6,162.1,156.8,164.9,143.2,181.6,163.3,123.9,0.0]
+                   [IATS(ms)....: 85.5,95.2,66.1,60.4,102.7,208.4,184.1,159.6,139.1,188.5,352.4,23.4,152.9,55.1,31.1,91.6,0.1,141.2,0.0,163.2,159.2,188.6,161.9,163.6,162.1,156.8,164.9,143.2,181.6,163.3,123.9]
                    [PKTLENS.....: 86,86,342,86,86,315,225,311,248,315,220,148,64,249,199,148,137,68,260,68,274,134,351,117,315,117,319,243,320,331,329,305]
               new: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] 
          detected: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] [ICMP][Network][Acceptable]
@@ -165,7 +165,7 @@
                    [BINS(c->s)..: 1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]
-                   [IATS(ms)....: 304.3,307.4,8.4,89.9,31.9,6.5,226.2,154.2,0.0,188.0,0.3,163.9,163.4,160.1,21.8,153.7,0.1,168.1,122.6,138.9,158.5,186.7,16.2,65.9,114.2,83.7,193.2,164.5,1.3,77.1,55.4,0.0]
+                   [IATS(ms)....: 304.3,307.4,8.4,89.9,31.9,6.5,226.2,154.2,0.0,188.0,0.3,163.9,163.4,160.1,21.8,153.7,0.1,168.1,122.6,138.9,158.5,186.7,16.2,65.9,114.2,83.7,193.2,164.5,1.3,77.1,55.4]
                    [PKTLENS.....: 86,86,86,86,86,148,138,320,181,68,246,148,242,226,117,148,165,68,186,170,175,186,170,148,128,154,219,154,223,68,148,185]
            update: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable]
                    RISK: Known Proto on Non Std Port
@@ -200,7 +200,7 @@
                    [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]
                    [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]
-                   [IATS(ms)....: 139.9,225.1,4.2,228.9,0.1,2.7,200.7,0.3,1.4,0.2,2.3,0.3,0.4,198.2,1.0,14.2,4.7,5.0,13.2,0.0,199.9,0.3,34.7,0.4,0.1,217.0,5.8,16.0,0.0,271.8,0.3,0.0]
+                   [IATS(ms)....: 139.9,225.1,4.2,228.9,0.1,2.7,200.7,0.3,1.4,0.2,2.3,0.3,0.4,198.2,1.0,14.2,4.7,5.0,13.2,0.0,199.9,0.3,34.7,0.4,0.1,217.0,5.8,16.0,0.0,271.8,0.3]
                    [PKTLENS.....: 78,66,54,281,54,146,91,54,54,60,91,1494,530,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]
           guessed: [.....7] [ip4][..tcp] [....192.168.2.4][49174] -> [....5.178.42.26][...80] [HTTP][Web][Acceptable]
               end: [.....7] [ip4][..tcp] [....192.168.2.4][49174] -> [....5.178.42.26][...80] 
diff --git a/test/results/flow-info/whatsapp_login_chat.pcap.out b/test/results/flow-info/whatsapp_login_chat.pcap.out
index 34b71026b..6a7b66c3b 100644
--- a/test/results/flow-info/whatsapp_login_chat.pcap.out
+++ b/test/results/flow-info/whatsapp_login_chat.pcap.out
@@ -17,7 +17,7 @@
                    [BINS(c->s)..: 4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0]
                    [BINS(s->c)..: 9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0]
-                   [IATS(ms)....: 0.3,0.1,156.1,6.0,20.6,0.0,205.0,0.2,59.6,0.4,0.1,237.8,6.4,13.7,0.0,246.4,0.2,2803.2,0.7,0.1,0.2,0.2,0.1,3030.6,5.8,14.0,0.0,0.0,10.3,10.4,268.2,0.0]
+                   [IATS(ms)....: 0.3,0.1,156.1,6.0,20.6,0.0,205.0,0.2,59.6,0.4,0.1,237.8,6.4,13.7,0.0,246.4,0.2,2803.2,0.7,0.1,0.2,0.2,0.1,3030.6,5.8,14.0,0.0,0.0,10.3,10.4,268.2]
                    [PKTLENS.....: 1494,531,610,54,54,1000,400,54,54,1494,538,610,54,54,1002,400,54,54,1494,531,610,1494,1254,1254,54,54,1002,400,54,54,54,127]
               new: [.....5] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] 
          detected: [.....5] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable]
diff --git a/test/results/flow-info/whatsapp_voice_and_message.pcap.out b/test/results/flow-info/whatsapp_voice_and_message.pcap.out
index 4b09de9e7..86421c6e4 100644
--- a/test/results/flow-info/whatsapp_voice_and_message.pcap.out
+++ b/test/results/flow-info/whatsapp_voice_and_message.pcap.out
@@ -26,7 +26,7 @@
                    [BINS(c->s)..: 9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0]
-                   [IATS(ms)....: 61.0,61.1,147.7,147.9,346.8,397.2,0.1,50.5,310.1,310.1,199.8,397.9,0.1,198.2,50.5,50.6,386.7,386.7,54.1,104.5,50.5,50.4,398.3,400.0,10696.7,10748.9,0.3,0.2,0.2,0.3,0.2,0.0]
+                   [IATS(ms)....: 61.0,61.1,147.7,147.9,346.8,397.2,0.1,50.5,310.1,310.1,199.8,397.9,0.1,198.2,50.5,50.6,386.7,386.7,54.1,104.5,50.5,50.4,398.3,400.0,10696.7,10748.9,0.3,0.2,0.2,0.3,0.2]
                    [PKTLENS.....: 74,54,54,231,54,132,54,84,54,77,54,223,54,86,54,104,54,410,54,77,54,75,54,469,54,133,54,133,54,133,54,133]
               new: [....10] [ip4][..tcp] [.......10.8.0.1][44819] -> [...158.85.58.42][.5222] 
          detected: [....10] [ip4][..tcp] [.......10.8.0.1][44819] -> [...158.85.58.42][.5222] [WhatsApp][Chat][Acceptable]
@@ -39,7 +39,7 @@
                    [BINS(c->s)..: 10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0]
-                   [IATS(ms)....: 1.3,2.4,29.8,31.2,401.5,457.9,56.4,0.2,0.1,0.2,50.5,50.4,0.2,112.5,112.8,50.8,57.3,6.5,0.3,0.2,50.4,50.5,0.1,50.4,131.0,50.4,131.2,0.1,50.5,50.6,0.8,0.0]
+                   [IATS(ms)....: 1.3,2.4,29.8,31.2,401.5,457.9,56.4,0.2,0.1,0.2,50.5,50.4,0.2,112.5,112.8,50.8,57.3,6.5,0.3,0.2,50.4,50.5,0.1,50.4,131.0,50.4,131.2,0.1,50.5,50.6,0.8]
                    [PKTLENS.....: 74,54,54,228,54,132,54,559,84,54,54,77,54,54,79,54,76,135,54,299,54,76,78,54,108,54,72,105,54,223,54,54]
            update: [.....5] [ip4][..udp] [.......10.8.0.1][53620] -> [..173.252.121.1][.3478] [STUN.WhatsAppCall][VoIP][Acceptable]
            update: [.....6] [ip4][..udp] [.......10.8.0.1][53620] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable]
@@ -58,7 +58,7 @@
                    [BINS(c->s)..: 11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0]
-                   [IATS(ms)....: 2.0,2.6,34.1,34.8,390.3,440.9,50.6,0.2,0.1,50.4,50.5,139.3,139.3,0.1,50.5,50.4,0.1,51.2,51.1,0.2,0.1,77.8,128.3,50.9,179.2,229.7,260.6,260.6,50.5,50.5,1768.4,0.0]
+                   [IATS(ms)....: 2.0,2.6,34.1,34.8,390.3,440.9,50.6,0.2,0.1,50.4,50.5,139.3,139.3,0.1,50.5,50.4,0.1,51.2,51.1,0.2,0.1,77.8,128.3,50.9,179.2,229.7,260.6,260.6,50.5,50.5,1768.4]
                    [PKTLENS.....: 74,54,54,228,54,132,54,308,84,54,77,54,79,54,76,135,54,76,299,54,54,54,223,112,54,113,54,179,54,76,54,90]
            update: [.....5] [ip4][..udp] [.......10.8.0.1][53620] -> [..173.252.121.1][.3478] [STUN.WhatsAppCall][VoIP][Acceptable]
            update: [.....6] [ip4][..udp] [.......10.8.0.1][53620] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable]
diff --git a/test/results/flow-info/whatsappfiles.pcap.out b/test/results/flow-info/whatsappfiles.pcap.out
index af408851f..cd4f7ef00 100644
--- a/test/results/flow-info/whatsappfiles.pcap.out
+++ b/test/results/flow-info/whatsappfiles.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0]
                    [BINS(s->c)..: 5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0]
-                   [IATS(ms)....: 90.0,91.9,3.0,95.6,1.4,1.2,0.0,95.9,1.0,78.9,282.8,460.9,0.0,97.9,0.0,4.0,7.0,1.0,0.0,0.0,115.1,0.0,1.2,0.0,102.9,1.0,41.1,24639.8,5.0,6.0,3.0,0.0]
+                   [IATS(ms)....: 90.0,91.9,3.0,95.6,1.4,1.2,0.0,95.9,1.0,78.9,282.8,460.9,0.0,97.9,0.0,4.0,7.0,1.0,0.0,0.0,115.1,0.0,1.2,0.0,102.9,1.0,41.1,24639.8,5.0,6.0,3.0]
                    [PKTLENS.....: 78,74,66,309,66,1464,1464,478,66,66,66,192,324,147,66,66,119,116,108,249,104,66,104,66,176,66,66,66,289,1464,1464,1464]
               new: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] 
          detected: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable]
@@ -24,7 +24,7 @@
                    [BINS(c->s)..: 6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 56.7,61.0,1.0,66.0,0.1,65.0,1.0,5.0,0.0,1.0,0.0,59.9,51.0,0.0,7.3,0.0,4.1,0.1,11.0,0.0,86.4,107.5,0.0,1.4,0.9,1.4,1.2,1.2,1.0,1.2,1.2,0.0]
+                   [IATS(ms)....: 56.7,61.0,1.0,66.0,0.1,65.0,1.0,5.0,0.0,1.0,0.0,59.9,51.0,0.0,7.3,0.0,4.1,0.1,11.0,0.0,86.4,107.5,0.0,1.4,0.9,1.4,1.2,1.2,1.0,1.2,1.2]
                    [PKTLENS.....: 78,74,66,583,66,212,66,117,119,116,108,290,147,66,104,66,104,66,108,66,66,66,1464,234,1464,1282,1464,1464,1464,1464,1464,1464]
               end: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable]
              idle: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable]
diff --git a/test/results/flow-info/wireguard.pcap.out b/test/results/flow-info/wireguard.pcap.out
index 853f95343..08c965af7 100644
--- a/test/results/flow-info/wireguard.pcap.out
+++ b/test/results/flow-info/wireguard.pcap.out
@@ -10,7 +10,7 @@
                    [BINS(c->s)..: 0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1]
-                   [IATS(ms)....: 0.0,0.2,13.3,82.4,23.4,0.1,92.8,0.7,114.4,124.5,0.2,238.5,14.3,86.0,36.4,0.1,108.2,0.8,113.6,3087.0,3060.6,97.5,183.7,5525.9,0.0,5525.9,16.5,88.0,44.4,0.1,115.9,0.0]
+                   [IATS(ms)....: 0.0,0.2,13.3,82.4,23.4,0.1,92.8,0.7,114.4,124.5,0.2,238.5,14.3,86.0,36.4,0.1,108.2,0.8,113.6,3087.0,3060.6,97.5,183.7,5525.9,0.0,5525.9,16.5,88.0,44.4,0.1,115.9]
                    [PKTLENS.....: 842,186,138,314,138,330,186,138,298,138,666,186,138,314,138,362,186,138,298,138,186,154,186,154,698,186,138,314,138,570,186,138]
            update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable]
            update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable]
diff --git a/test/results/flow-info/youtube_quic.pcap.out b/test/results/flow-info/youtube_quic.pcap.out
index f40492250..e30a05ab2 100644
--- a/test/results/flow-info/youtube_quic.pcap.out
+++ b/test/results/flow-info/youtube_quic.pcap.out
@@ -12,7 +12,7 @@
                    [BINS(c->s)..: 0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0]
                    [BINS(s->c)..: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]
-                   [IATS(ms)....: 43.7,0.6,47.4,0.3,0.2,0.0,22.6,22.3,0.0,41.9,0.1,4.3,1.2,5.2,1.0,1.2,2.1,1.0,1.2,2.2,1.1,0.9,2.0,1.3,1.0,2.3,0.9,1.3,2.3,0.6,7.7,0.0]
+                   [IATS(ms)....: 43.7,0.6,47.4,0.3,0.2,0.0,22.6,22.3,0.0,41.9,0.1,4.3,1.2,5.2,1.0,1.2,2.1,1.0,1.2,2.2,1.1,0.9,2.0,1.3,1.0,2.3,0.9,1.3,2.3,0.6,7.7]
                    [PKTLENS.....: 1392,1392,1392,1392,459,177,178,77,1392,73,83,83,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1030,1392]
               new: [.....3] [ip4][..udp] [....192.168.1.7][53859] -> [..216.58.205.66][..443] 
          detected: [.....3] [ip4][..udp] [....192.168.1.7][53859] -> [..216.58.205.66][..443] [QUIC.Google][Advertisement][Acceptable]
diff --git a/test/results/flow-info/youtubeupload.pcap.out b/test/results/flow-info/youtubeupload.pcap.out
index f6c2edc21..cf6412560 100644
--- a/test/results/flow-info/youtubeupload.pcap.out
+++ b/test/results/flow-info/youtubeupload.pcap.out
@@ -16,7 +16,7 @@
                    [BINS(c->s)..: 0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0]
                    [BINS(s->c)..: 4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0]
-                   [IATS(ms)....: 56.1,1.0,59.8,1.8,0.4,60.9,0.1,57.5,0.4,30.7,1096.9,0.5,1126.8,0.7,1825.8,1883.1,71.2,0.1,128.5,3.3,2.8,0.4,0.7,1.0,1.1,1.2,1.1,1.2,1.1,1.2,1.2,0.0]
+                   [IATS(ms)....: 56.1,1.0,59.8,1.8,0.4,60.9,0.1,57.5,0.4,30.7,1096.9,0.5,1126.8,0.7,1825.8,1883.1,71.2,0.1,128.5,3.3,2.8,0.4,0.7,1.0,1.1,1.2,1.1,1.2,1.1,1.2,1.2]
                    [PKTLENS.....: 1392,1392,1392,80,1392,424,1392,73,83,80,72,58,611,83,77,344,78,154,58,83,387,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392]
              idle: [.....2] [ip4][..tcp] [...192.168.2.27][57452] -> [.172.217.23.111][..443] 
              idle: [.....1] [ip4][..udp] [...192.168.2.27][51925] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun]
diff --git a/test/results/flow-info/zcash.pcap.out b/test/results/flow-info/zcash.pcap.out
index a82c94fbb..95c6559ad 100644
--- a/test/results/flow-info/zcash.pcap.out
+++ b/test/results/flow-info/zcash.pcap.out
@@ -11,7 +11,7 @@
                    [BINS(c->s)..: 9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1]
-                   [IATS(ms)....: 82.7,82.7,0.2,82.6,1.5,84.0,12149.8,12261.6,111.7,2618.8,2732.4,113.5,6931.2,7044.0,112.8,7848.9,7848.9,48786.2,308.4,320.0,608.0,50191.4,0.1,0.0,41.7,210.6,4833.2,4833.2,8034.7,8116.9,41.4,0.0]
+                   [IATS(ms)....: 82.7,82.7,0.2,82.6,1.5,84.0,12149.8,12261.6,111.7,2618.8,2732.4,113.5,6931.2,7044.0,112.8,7848.9,7848.9,48786.2,308.4,320.0,608.0,50191.4,0.1,0.0,41.7,210.6,4833.2,4833.2,8034.7,8116.9,41.4]
                    [PKTLENS.....: 74,74,66,326,66,369,66,249,129,66,249,129,66,249,129,66,319,66,249,249,249,249,78,78,78,129,66,319,66,249,66,129]
      DAEMON-EVENT: [Processed: 87 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
diff --git a/test/results/flow-info/zoom.pcap.out b/test/results/flow-info/zoom.pcap.out
index 1c39b9f5c..95be0cdc5 100644
--- a/test/results/flow-info/zoom.pcap.out
+++ b/test/results/flow-info/zoom.pcap.out
@@ -64,7 +64,7 @@
                    [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 112.4,112.5,31.1,144.0,1.8,0.2,0.0,114.8,0.2,0.2,7.2,2.9,121.9,111.9,4.3,0.0,116.6,98.0,0.5,0.0,210.7,0.0,0.2,0.1,0.2,0.1,0.1,0.2,0.1,0.0,0.1,0.0]
+                   [IATS(ms)....: 112.4,112.5,31.1,144.0,1.8,0.2,0.0,114.8,0.2,0.2,7.2,2.9,121.9,111.9,4.3,0.0,116.6,98.0,0.5,0.0,210.7,0.0,0.2,0.1,0.2,0.1,0.1,0.2,0.1,0.0,0.1]
                    [PKTLENS.....: 78,66,54,571,60,1506,1506,1506,54,1306,54,54,245,105,54,745,864,60,1506,1506,1506,54,54,1506,1506,54,1506,1506,54,1506,459,54]
  detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable]
               new: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] 
@@ -120,7 +120,7 @@
                    [BINS(c->s)..: 10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0]
-                   [IATS(ms)....: 31.6,31.8,0.2,32.7,2.0,0.1,0.0,34.5,0.0,10.5,0.0,10.6,60.1,93.9,33.8,0.4,31.3,30.9,4.6,0.0,36.6,6.2,38.2,156.1,156.1,0.1,0.0,0.1,10.6,59.1,3.1,0.0]
+                   [IATS(ms)....: 31.6,31.8,0.2,32.7,2.0,0.1,0.0,34.5,0.0,10.5,0.0,10.6,60.1,93.9,33.8,0.4,31.3,30.9,4.6,0.0,36.6,6.2,38.2,156.1,156.1,0.1,0.0,0.1,10.6,59.1,3.1]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,66,66,1506,93,66,192,308,66,206,132,66,1506,547,66,104,66,1331,66,1506,160,66,104,216,237]
               new: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] 
          detected: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable]
@@ -134,7 +134,7 @@
                    [BINS(c->s)..: 1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 32.0,0.0,32.2,4.7,35.6,13.8,10.3,10.2,10.0,0.1,10.1,10.3,10.0,10.0,0.1,9.9,10.2,10.3,10.3,0.1,10.1,10.0,10.1,10.5,0.0,10.0,10.3,9.7,10.3,0.4,9.8,0.0]
+                   [IATS(ms)....: 32.0,0.0,32.2,4.7,35.6,13.8,10.3,10.2,10.0,0.1,10.1,10.3,10.0,10.0,0.1,9.9,10.2,10.3,10.3,0.1,10.1,10.0,10.1,10.5,0.0,10.0,10.3,9.7,10.3,0.4,9.8]
                    [PKTLENS.....: 149,77,60,55,105,85,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071]
               new: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] 
          detected: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable]
diff --git a/test/results/flow-info/zoom2.pcap.out b/test/results/flow-info/zoom2.pcap.out
index d6417a349..7b81c5e98 100644
--- a/test/results/flow-info/zoom2.pcap.out
+++ b/test/results/flow-info/zoom2.pcap.out
@@ -15,7 +15,7 @@
                    [BINS(c->s)..: 11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
                    [BINS(s->c)..: 3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0]
                    [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1]
-                   [IATS(ms)....: 174.7,174.8,0.6,174.0,1.3,0.0,0.0,0.0,175.4,0.0,0.0,23.6,1.3,198.6,173.1,0.3,174.5,174.1,5.8,0.0,187.6,0.7,0.0,182.4,0.1,0.1,0.1,0.9,0.8,0.5,0.0,0.0]
+                   [IATS(ms)....: 174.7,174.8,0.6,174.0,1.3,0.0,0.0,0.0,175.4,0.0,0.0,23.6,1.3,198.6,173.1,0.3,174.5,174.1,5.8,0.0,187.6,0.7,0.0,182.4,0.1,0.1,0.1,0.9,0.8,0.5,0.0]
                    [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,828,66,66,66,66,192,117,66,222,141,66,1506,781,66,1506,456,66,214,66,116,1344,66,1344,270]
               new: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] 
           analyse: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] 
@@ -25,7 +25,7 @@
                    [BINS(c->s)..: 0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]
-                   [IATS(ms)....: 101.4,166.6,0.0,73.0,12.3,100.4,0.0,101.8,73.0,11.9,4.9,10.9,10.5,10.1,0.2,9.2,10.4,10.3,11.4,0.0,0.3,9.4,8.6,5.4,4.9,0.1,10.8,10.0,10.5,9.4,0.2,0.0]
+                   [IATS(ms)....: 101.4,166.6,0.0,73.0,12.3,100.4,0.0,101.8,73.0,11.9,4.9,10.9,10.5,10.1,0.2,9.2,10.4,10.3,11.4,0.0,0.3,9.4,8.6,5.4,4.9,0.1,10.8,10.0,10.5,9.4,0.2]
                    [PKTLENS.....: 165,165,86,60,170,170,86,60,170,102,102,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,102,1078,1078,1078,1078,1078,1078,1078]
           guessed: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable]
          detected: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable]
@@ -38,7 +38,7 @@
                    [BINS(c->s)..: 0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1]
-                   [IATS(ms)....: 98.5,176.4,0.1,85.5,9.5,94.8,0.0,99.9,94.2,12.3,1.9,12.4,20.6,17.0,20.1,168.4,18.0,3.6,10.9,10.3,19.4,32.1,20.9,115.3,0.0,17.8,18.7,20.1,20.2,21.5,85.5,0.0]
+                   [IATS(ms)....: 98.5,176.4,0.1,85.5,9.5,94.8,0.0,99.9,94.2,12.3,1.9,12.4,20.6,17.0,20.1,168.4,18.0,3.6,10.9,10.3,19.4,32.1,20.9,115.3,0.0,17.8,18.7,20.1,20.2,21.5,85.5]
                    [PKTLENS.....: 165,165,86,60,170,170,86,60,170,102,102,175,178,168,163,159,130,102,163,106,157,158,148,149,180,203,130,164,162,157,158,130]
           guessed: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable]
          detected: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable]
@@ -49,7 +49,7 @@
                    [BINS(c->s)..: 7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0]
-                   [IATS(ms)....: 102.1,187.6,0.0,105.6,0.1,93.5,0.0,87.6,70.7,0.1,106.0,0.0,21.5,32.8,59.0,0.0,48.4,5.5,49.5,50.2,0.0,0.0,55.2,45.7,56.3,52.4,0.0,59.8,52.1,47.7,58.6,0.0]
+                   [IATS(ms)....: 102.1,187.6,0.0,105.6,0.1,93.5,0.0,87.6,70.7,0.1,106.0,0.0,21.5,32.8,59.0,0.0,48.4,5.5,49.5,50.2,0.0,0.0,55.2,45.7,56.3,52.4,0.0,59.8,52.1,47.7,58.6]
                    [PKTLENS.....: 167,167,86,60,177,177,86,60,177,177,177,117,117,69,69,185,69,69,117,69,117,117,69,69,69,69,117,69,69,69,69,69]
           guessed: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable]
          detected: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable]
diff --git a/test/results/forticlient.pcap.out b/test/results/forticlient.pcap.out
index 6bfa57991..041c57ace 100644
--- a/test/results/forticlient.pcap.out
+++ b/test/results/forticlient.pcap.out
@@ -35,7 +35,7 @@
 01349{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209262263,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1621067209264717,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01409{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":105,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209346748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1621067209346748,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01675{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209348677,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":2421,"midstream":0,"thread_ts_usec":1621067209348677,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}}}
-01997{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":131,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067210297694,"flow_dst_last_pkt_time":1621067210301240,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1845,"flow_dst_tot_l4_payload_len":4568,"midstream":0,"thread_ts_usec":1621067210301240,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":39,"avg":70952.1,"max":495036,"stddev":111597.5,"var":12454002688.0,"ent":3.7,"data": [62553,62662,2345,64550,19935,1929,84016,11197,85323,74192,429584,495036,65428,84550,160241,75696,71555,6274,142878,591,65604,251,221,2934,4011,39,64164,57249,427,3990,89,0]},"pktlen": {"min":66,"avg":267.0,"max":1506,"stddev":343.0,"var":117623.0,"ent":4.2,"data": [78,74,66,379,66,1506,1047,66,224,308,66,596,841,66,362,937,66,357,113,66,113,66,113,66,113,131,117,113,66,113,125,125]},"bins": {"c_to_s": [9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":131,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067210297694,"flow_dst_last_pkt_time":1621067210301240,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1845,"flow_dst_tot_l4_payload_len":4568,"midstream":0,"thread_ts_usec":1621067210301240,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":39,"avg":70952.1,"max":495036,"stddev":111597.5,"var":12454002688.0,"ent":3.7,"data": [62553,62662,2345,64550,19935,1929,84016,11197,85323,74192,429584,495036,65428,84550,160241,75696,71555,6274,142878,591,65604,251,221,2934,4011,39,64164,57249,427,3990,89]},"pktlen": {"min":66,"avg":267.0,"max":1506,"stddev":343.0,"var":117623.0,"ent":4.2,"data": [78,74,66,379,66,1506,1047,66,224,308,66,596,841,66,362,937,66,357,113,66,113,66,113,66,113,131,117,113,66,113,125,125]},"bins": {"c_to_s": [9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00771{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":9,"flow_first_seen":1621067203571879,"flow_src_last_pkt_time":1621067204621391,"flow_dst_last_pkt_time":1621067204682403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":493,"flow_dst_tot_l4_payload_len":2929,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00772{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1621067204622472,"flow_src_last_pkt_time":1621067205650296,"flow_dst_last_pkt_time":1621067205708789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":6225,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00772{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":11,"flow_first_seen":1621067205651500,"flow_src_last_pkt_time":1621067206681899,"flow_dst_last_pkt_time":1621067206738955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -50,10 +50,10 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6155048 bytes
-~~ total memory freed........: 6155048 bytes
+~~ total memory allocated....: 6155028 bytes
+~~ total memory freed........: 6155028 bytes
 ~~ total allocations/frees...: 123564/123564
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
-~~ json string max len.......: 2002 chars
-~~ json string avg len.......: 1247 chars
+~~ json string max len.......: 2000 chars
+~~ json string avg len.......: 1246 chars
diff --git a/test/results/ftp-start-tls.pcap.out b/test/results/ftp-start-tls.pcap.out
index e51d739dd..463bfd7c3 100644
--- a/test/results/ftp-start-tls.pcap.out
+++ b/test/results/ftp-start-tls.pcap.out
@@ -8,7 +8,7 @@
 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":8,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629098899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":73,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1383123629101855,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}}
 01332{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":11,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103318,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1383123629103318,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}}
 01333{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":13,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":1447,"midstream":0,"thread_ts_usec":1383123629103328,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}}
-01529{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4811.0,"max":40376,"stddev":9556.7,"var":91331016.0,"ent":3.2,"data": [415,134,1253,15030,72,17807,3947,60,788,5,4347,3279,113,1027,2,8,2,118,3,2582,8520,40376,68,34737,4456,749,2222,1775,305,2738,2203,0]},"pktlen": {"min":60,"avg":174.9,"max":566,"stddev":164.2,"var":26956.4,"ent":4.5,"data": [60,60,60,60,127,127,64,60,60,85,85,204,60,60,566,566,269,566,566,269,60,384,105,105,91,136,136,91,136,136,99,144]},"bins": {"c_to_s": [4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1]}}
+01527{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4811.0,"max":40376,"stddev":9556.7,"var":91331016.0,"ent":3.2,"data": [415,134,1253,15030,72,17807,3947,60,788,5,4347,3279,113,1027,2,8,2,118,3,2582,8520,40376,68,34737,4456,749,2222,1775,305,2738,2203]},"pktlen": {"min":60,"avg":174.9,"max":566,"stddev":164.2,"var":26956.4,"ent":4.5,"data": [60,60,60,60,127,127,64,60,60,85,85,204,60,60,566,566,269,566,566,269,60,384,105,105,91,136,136,91,136,136,99,144]},"bins": {"c_to_s": [4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1]}}
 01333{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}}
 01365{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":51,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":35,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629412168,"flow_dst_last_pkt_time":1383123629233523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":856,"flow_dst_tot_l4_payload_len":3834,"midstream":0,"thread_ts_usec":1383123629412168,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}}
 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":51,"source":"ftp-start-tls.pcap","alias":"nDPId-test","packets-captured":51,"packets-processed":51,"total-skipped-flows":0,"total-l4-payload-len":4690,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1383123629412168}
@@ -20,10 +20,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043483 bytes
-~~ total memory freed........: 6043483 bytes
+~~ total memory allocated....: 6043479 bytes
+~~ total memory freed........: 6043479 bytes
 ~~ total allocations/frees...: 121546/121546
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
-~~ json string max len.......: 1534 chars
-~~ json string avg len.......: 1007 chars
+~~ json string max len.......: 1532 chars
+~~ json string avg len.......: 1006 chars
diff --git a/test/results/ftp.pcap.out b/test/results/ftp.pcap.out
index e979af4e0..ea6b69119 100644
--- a/test/results/ftp.pcap.out
+++ b/test/results/ftp.pcap.out
@@ -5,7 +5,7 @@
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1552590234892296,"flow_dst_last_pkt_time":1552590234919708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590234919708,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1AAVxgZYKsHSoyOX7qASqbA+KAAAAgQFrAQCCAoSZ\/tNO1eYmQEDAw4="}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1552590234919816,"flow_dst_last_pkt_time":1552590234919708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1552590234919816,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYGABWjI5fuWCrB04AQECxjbgAAAQEICjtXmLQSZ\/tN"}
 01043{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590234976972,"flow_dst_last_pkt_time":1552590235066945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":29,"flow_dst_tot_l4_payload_len":77,"midstream":0,"thread_ts_usec":1552590235066945,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download","ftp": {"user":"anonymous","password":"NcFTP@","auth_failed":0}}}
-01795{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590235175924,"flow_dst_last_pkt_time":1552590235202548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":532,"midstream":0,"thread_ts_usec":1552590235202548,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":19157.4,"max":90047,"stddev":20644.4,"var":426190272.0,"ent":4.1,"data": [27412,27520,29008,29012,526,27660,315,27401,217,69061,21193,90047,306,27070,21,26780,133,26972,64,26857,6,275,27478,27261,90,29,651,27147,26517,90,26761,0]},"pktlen": {"min":66,"avg":85.9,"max":307,"stddev":42.7,"var":1824.0,"ent":4.9,"data": [78,74,66,86,66,82,66,100,66,79,66,89,66,71,66,100,66,72,81,131,66,66,77,110,66,307,66,96,88,66,71,100]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}}
+01793{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590235175924,"flow_dst_last_pkt_time":1552590235202548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":532,"midstream":0,"thread_ts_usec":1552590235202548,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":19157.4,"max":90047,"stddev":20644.4,"var":426190272.0,"ent":4.1,"data": [27412,27520,29008,29012,526,27660,315,27401,217,69061,21193,90047,306,27070,21,26780,133,26972,64,26857,6,275,27478,27261,90,29,651,27147,26517,90,26761]},"pktlen": {"min":66,"avg":85.9,"max":307,"stddev":42.7,"var":1824.0,"ent":4.9,"data": [78,74,66,86,66,82,66,100,66,79,66,89,66,71,66,100,66,72,81,131,66,66,77,110,66,307,66,96,88,66,71,100]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1552590236580045,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236580045,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1552590236580045,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50695,"dst_port":25685,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236580045,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1552590236580045,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYHZFXuwKKMAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1efIQAAAAAEAgAA"}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236608252,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590236608252,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1GRVxgdmK2Nw7sCijaASqbDL3QAAAgQFrAQCCAoSZ\/zzO1efIQEDAw4="}
@@ -15,7 +15,7 @@
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1552590241545143,"flow_dst_last_pkt_time":1552590241545143,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1552590241545143,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYIX8sNBxpOAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1eyYgAAAAAEAgAA"}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1552590241545143,"flow_dst_last_pkt_time":1552590241573913,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590241573913,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1F\/LxggMTnkwDQcaT6ASqbBmYgAAAgQFrAQCCAoSaAHMO1eyYgEDAw4="}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1552590241573957,"flow_dst_last_pkt_time":1552590241573913,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1552590241573957,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYIX8sNBxpPDE55MYAQECxjbgAAAQEICjtXsn0SaAHM"}
-01550{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6033.4,"max":29579,"stddev":11108.9,"var":123407192.0,"ent":3.1,"data": [28770,28814,29579,29566,281,284,597,608,340,458,790,363,375,64,327,2,379,43,300,27513,27767,195,211,1702,115,4,1805,1866,1903,218,1796,0]},"pktlen": {"min":66,"avg":832.0,"max":1506,"stddev":717.5,"var":514855.0,"ent":4.3,"data": [78,74,66,1506,78,1506,66,1506,66,1506,1506,66,1506,66,1506,1506,1506,66,66,1506,1506,66,1506,66,1506,1506,66,66,1506,66,1506,1506]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1]}}
+01548{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6033.4,"max":29579,"stddev":11108.9,"var":123407192.0,"ent":3.1,"data": [28770,28814,29579,29566,281,284,597,608,340,458,790,363,375,64,327,2,379,43,300,27513,27767,195,211,1702,115,4,1805,1866,1903,218,1796]},"pktlen": {"min":66,"avg":832.0,"max":1506,"stddev":717.5,"var":514855.0,"ent":4.3,"data": [78,74,66,1506,78,1506,66,1506,66,1506,1506,66,1506,66,1506,1506,1506,66,66,1506,1506,66,1506,66,1506,1506,66,66,1506,66,1506,1506]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1]}}
 00806{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00845{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1192,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":380,"flow_dst_packets_processed":735,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241851108,"flow_dst_last_pkt_time":1552590241878454,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1048576,"midstream":0,"thread_ts_usec":1552590243371057,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1192,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":27,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590243340268,"flow_dst_last_pkt_time":1552590243371057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":889,"midstream":0,"thread_ts_usec":1552590243371057,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}}
@@ -29,10 +29,10 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6079644 bytes
-~~ total memory freed........: 6079644 bytes
+~~ total memory allocated....: 6079632 bytes
+~~ total memory freed........: 6079632 bytes
 ~~ total allocations/frees...: 122703/122703
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1800 chars
-~~ json string avg len.......: 1143 chars
+~~ json string max len.......: 1798 chars
+~~ json string avg len.......: 1142 chars
diff --git a/test/results/ftp_failed.pcap.out b/test/results/ftp_failed.pcap.out
index 37e5be8ea..121f7caa2 100644
--- a/test/results/ftp_failed.pcap.out
+++ b/test/results/ftp_failed.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038242 bytes
-~~ total memory freed........: 6038242 bytes
+~~ total memory allocated....: 6038238 bytes
+~~ total memory freed........: 6038238 bytes
 ~~ total allocations/frees...: 121507/121507
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/fuzz-2006-06-26-2594.pcap.out b/test/results/fuzz-2006-06-26-2594.pcap.out
index 0ecfdf14f..32cf1af48 100644
--- a/test/results/fuzz-2006-06-26-2594.pcap.out
+++ b/test/results/fuzz-2006-06-26-2594.pcap.out
@@ -676,7 +676,7 @@
 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":287,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470158623642,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158623642,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470158623642,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2757,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"1.v.0.127.in-addr.arpa","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":288,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_packet_id":2,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158625217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"thread_ts_usec":1120470158625217,"pkt":"AODtAW69ADBUADRWCABFAABbAABAAEARtz7AqAEBwKgBAgA1CsUARyeF3\/CAAAABAAEAAAAAAXMBMAElcwAyNwdpbi1hZGRyBGFycGEAAAwAAcAMAAwAAQAAJxAACwlsb2NhbGhvc3QA"}
 01120{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":288,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1120470158623642,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158625217,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":63,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":63,"midstream":0,"thread_ts_usec":1120470158625217,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2757,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-01789{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1120469540839312,"flow_src_last_pkt_time":1120470161396896,"flow_dst_last_pkt_time":1120469540839312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1592,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470161396896,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":741823,"avg":20017986.0,"max":47494748,"stddev":22627942.0,"var":512023754440704.0,"ent":3.9,"data": [746308,47494748,744583,751092,46512252,745680,46548540,1500555,45837567,749435,751083,46756478,741823,751085,45987992,749213,47479804,47268139,749384,47257959,751080,46297871,749788,46627979,750158,751078,45907667,749430,751084,46347688,750041,0]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01787{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1120469540839312,"flow_src_last_pkt_time":1120470161396896,"flow_dst_last_pkt_time":1120469540839312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1592,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470161396896,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":741823,"avg":20017986.0,"max":47494748,"stddev":22627942.0,"var":512023754440704.0,"ent":3.9,"data": [746308,47494748,744583,751092,46512252,745680,46548540,1500555,45837567,749435,751083,46756478,741823,751085,45987992,749213,47479804,47268139,749384,47257959,751080,46297871,749788,46627979,750158,751078,45907667,749430,751084,46347688,750041]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469973959320,"flow_src_last_pkt_time":1120469973959320,"flow_dst_last_pkt_time":1120469973959320,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":63,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.130.1","dst_ip":"192.168.1.2","src_port":53,"dst_port":2741,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00766{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":75,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469973957831,"flow_src_last_pkt_time":1120469973957831,"flow_dst_last_pkt_time":1120469973957831,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2741,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00741{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469847669186,"flow_src_last_pkt_time":1120469847669186,"flow_dst_last_pkt_time":1120469847669186,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":475,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":475,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":475,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","l4_proto":120,"flow_datalink":1,"flow_max_packets":3}
@@ -1162,7 +1162,7 @@
 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":428,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":165,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470473526171,"flow_src_last_pkt_time":1120470473526171,"flow_dst_last_pkt_time":1120470473526171,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470473526171,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2788,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"1.0.0.127.in-addr.arpa","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 00732{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":429,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":166,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470473527682,"flow_src_last_pkt_time":1120470473527682,"flow_dst_last_pkt_time":1120470473527682,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":71,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":71,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":71,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470473527682,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.2","l4_proto":0,"flow_datalink":1,"flow_max_packets":3}
 00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":166,"flow_packet_id":1,"flow_src_last_pkt_time":1120470473527682,"flow_dst_last_pkt_time":1120470473527682,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"thread_ts_usec":1120470473527682,"pkt":"AODtAW69ADBUADRWCABFAABbAABAJXMAtz7AqAEBwKgBAgA1CuQAR5xtaumAAAABAAEAAAAAATEBMAEwAzEyNwdpbi1hZGRyBGFycGEAAAwAAcAMAAwAAQAAJxAACwlsb2NhbGhvc3Qw"}
-01859{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":430,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1120469572981006,"flow_src_last_pkt_time":1120470268128176,"flow_dst_last_pkt_time":1120470473529233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":306,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":593,"flow_dst_max_l4_payload_len":1076,"flow_src_tot_l4_payload_len":4595,"flow_dst_tot_l4_payload_len":6254,"midstream":0,"thread_ts_usec":1120470473529233,"l3_proto":"ip4","src_ip":"212.242.33.35","dst_ip":"192.168.1.2","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":51474044.0,"max":279041814,"stddev":59389388.0,"var":3527099352612864.0,"ent":4.2,"data": [17474795,107207461,89874891,17280679,167478647,167525220,17335822,73902652,91241081,17333170,25935,17724998,29031776,29092737,68237242,29272359,29031830,29031631,29031476,18604480,279041814,227102,15287489,17115049,32679444,257340,76383084,29031077,58063525,24495477,17375114,0]},"pktlen": {"min":47,"avg":381.0,"max":1118,"stddev":296.2,"var":87757.2,"ent":4.5,"data": [528,388,509,528,722,528,722,533,528,722,348,512,47,47,47,47,47,47,47,47,867,635,382,47,1118,487,377,47,47,47,480,715]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01857{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":430,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1120469572981006,"flow_src_last_pkt_time":1120470268128176,"flow_dst_last_pkt_time":1120470473529233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":306,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":593,"flow_dst_max_l4_payload_len":1076,"flow_src_tot_l4_payload_len":4595,"flow_dst_tot_l4_payload_len":6254,"midstream":0,"thread_ts_usec":1120470473529233,"l3_proto":"ip4","src_ip":"212.242.33.35","dst_ip":"192.168.1.2","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":51474044.0,"max":279041814,"stddev":59389388.0,"var":3527099352612864.0,"ent":4.2,"data": [17474795,107207461,89874891,17280679,167478647,167525220,17335822,73902652,91241081,17333170,25935,17724998,29031776,29092737,68237242,29272359,29031830,29031631,29031476,18604480,279041814,227102,15287489,17115049,32679444,257340,76383084,29031077,58063525,24495477,17375114]},"pktlen": {"min":47,"avg":381.0,"max":1118,"stddev":296.2,"var":87757.2,"ent":4.5,"data": [528,388,509,528,722,528,722,533,528,722,348,512,47,47,47,47,47,47,47,47,867,635,382,47,1118,487,377,47,47,47,480,715]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00201{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":431,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","layer_type":2157,"global_ts_usec":1120470473631455}
 00403{"packet_event_id":1,"packet_event_name":"packet","packet_id":431,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":86,"pkt_type":2157,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":86,"pkt_l4_len":0,"thread_ts_usec":1120470473529233,"pkt":"ADBUADRWACVzVG69CG1FAABIa2IAAIARS+\/AqAECwKgBAQrlADUANLH1d+oBAAABAAAAAAAABF9zaXAEX3VkcANzaXAJY3liZXJjaXR5AmRrAAAhAAE="}
 00220{"error_event_id":9,"error_event_name":"nDPI IPv4\/L4 payload detection failed","datalink":1,"packet_id":432,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","l4_data_len":498,"global_ts_usec":1120470473676412}
@@ -2081,8 +2081,8 @@
 ~~ total active/idle flows...: 257/257
 ~~ total timeout flows.......: 2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6500034 bytes
-~~ total memory freed........: 6500034 bytes
+~~ total memory allocated....: 6499006 bytes
+~~ total memory freed........: 6499006 bytes
 ~~ total allocations/frees...: 124653/124653
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 203 chars
diff --git a/test/results/fuzz-2006-09-29-28586.pcap.out b/test/results/fuzz-2006-09-29-28586.pcap.out
index c7abe317b..f7ab00652 100644
--- a/test/results/fuzz-2006-09-29-28586.pcap.out
+++ b/test/results/fuzz-2006-09-29-28586.pcap.out
@@ -206,8 +206,8 @@
 ~~ total active/idle flows...: 39/39
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6113783 bytes
-~~ total memory freed........: 6113783 bytes
+~~ total memory allocated....: 6113627 bytes
+~~ total memory freed........: 6113627 bytes
 ~~ total allocations/frees...: 122015/122015
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 204 chars
diff --git a/test/results/fuzz-2020-02-16-11740.pcap.out b/test/results/fuzz-2020-02-16-11740.pcap.out
index fc16483c0..a7d688957 100644
--- a/test/results/fuzz-2020-02-16-11740.pcap.out
+++ b/test/results/fuzz-2020-02-16-11740.pcap.out
@@ -94,7 +94,7 @@
 00220{"error_event_id":9,"error_event_name":"nDPI IPv4\/L4 payload detection failed","datalink":1,"packet_id":58,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","l4_data_len":284,"global_ts_usec":1528997012338586}
 00714{"packet_event_id":1,"packet_event_name":"packet","packet_id":58,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":318,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":318,"pkt_l4_len":0,"thread_ts_usec":1528997012137776,"pkt":"ABRP+4rqcNuYVcUnCABFAIEw++ZAAPwRV5TG4hk1CgxAHgcUchABHA0JAicBFBsdKAWbpXDSR2MuOEvDRI4aCwAAV8gbBVNQQxpuAAABNxA0owm4HCG6PU2XNAkv\/vzDOB0KCSSyhii6vunR59O76CIKGOYjAfl7PUhdXq\/+IyUA1AERNOgzhBq9cBFTORk8iq5zOGawlRK5SmrzC9CE14BmLSTx9+rzUr5gcK7nljeTYDH3Q7JtAU4wMzExNDgwMDczNjM4MDcyQHdsYW4ubW5jNCUALm12YzMxMS4zZ3BwbmV0d29yay5vcmcsIDViMjJhNDg0L2YwOjc5OjYwOmQxOjdkOjM3LzIxNVkMOTA4NDIxMzI5MhIJU3VjY2VzcxkFU1BDTwYDAgAEUBJln13lrCrLxGDT3fIxBMmg"}
 00925{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1528996603395872,"flow_src_last_pkt_time":1528996832079336,"flow_dst_last_pkt_time":1528996609592806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":209,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":834,"flow_dst_max_l4_payload_len":105,"flow_src_tot_l4_payload_len":2009,"flow_dst_tot_l4_payload_len":105,"midstream":0,"thread_ts_usec":1528997012137776,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1813,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01853{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1528996068129675,"flow_src_last_pkt_time":1528997019398709,"flow_dst_last_pkt_time":1528997011828903,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":655,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":703,"flow_dst_max_l4_payload_len":276,"flow_src_tot_l4_payload_len":12258,"flow_dst_tot_l4_payload_len":2595,"midstream":0,"thread_ts_usec":1528997019398709,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1812,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":155168,"avg":61128012.0,"max":612411195,"stddev":140850256.0,"var":19838793242640384.0,"ent":2.7,"data": [155168,452627740,595449,114837328,612411195,44261470,205164,4046522,4037802,201918,4553249,187053,43562433,202627,48502104,3244519,3442366,3335821,3536360,209147,201397,255983176,256164296,599645,6262990,492548,7309633,8000538,8015324,522347,7260933,0]},"pktlen": {"min":179,"avg":506.2,"max":745,"stddev":248.2,"var":61618.1,"ent":4.8,"data": [697,257,239,318,239,745,179,697,179,697,206,745,697,745,697,206,179,697,745,179,697,206,745,239,725,745,725,318,745,239,725,745]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01851{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1528996068129675,"flow_src_last_pkt_time":1528997019398709,"flow_dst_last_pkt_time":1528997011828903,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":655,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":703,"flow_dst_max_l4_payload_len":276,"flow_src_tot_l4_payload_len":12258,"flow_dst_tot_l4_payload_len":2595,"midstream":0,"thread_ts_usec":1528997019398709,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1812,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":155168,"avg":61128012.0,"max":612411195,"stddev":140850256.0,"var":19838793242640384.0,"ent":2.7,"data": [155168,452627740,595449,114837328,612411195,44261470,205164,4046522,4037802,201918,4553249,187053,43562433,202627,48502104,3244519,3442366,3335821,3536360,209147,201397,255983176,256164296,599645,6262990,492548,7309633,8000538,8015324,522347,7260933]},"pktlen": {"min":179,"avg":506.2,"max":745,"stddev":248.2,"var":61618.1,"ent":4.8,"data": [697,257,239,318,239,745,179,697,179,697,206,745,697,745,697,206,179,697,745,179,697,206,745,239,725,745,725,318,745,239,725,745]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00199{"error_event_id":2,"error_event_name":"Unknown L3 protocol","datalink":1,"packet_id":63,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","protocol":2048,"global_ts_usec":1528997023243075}
 01284{"packet_event_id":1,"packet_event_name":"packet","packet_id":63,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":745,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":745,"pkt_l4_len":0,"thread_ts_usec":1528997020091114,"pkt":"AAAMB6xAABRP+4rqCAAHAALbIOZAAP8RAAAKDEAexuIZNXIQBxQC1gAAASoCn1lLG5tNeGgoWBAiZw18BtkaCgAAV8gOBFVTGgwAAFfIDQZ3aWZpGg8AAFfICVZXSVNQUjEwGgkAADghDQMyNwZbIqSfATUwMzExNDgwMjgxNTAxNTg5QHdsYW4ubW5jNDgwLm1jYzMxMS4zZ3BwbmV0d29yay5vcmdZAxB+CDFjaXNjb4MGAAAAAR+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg=="}
 00773{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":66,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1528997023501287,"flow_src_last_pkt_time":1528997023501287,"flow_dst_last_pkt_time":1528997023501287,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":164,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":164,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":164,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1528997023501287,"l3_proto":"ip4","src_ip":"198.162.25.53","dst_ip":"10.12.64.30","src_port":1810,"dst_port":29200,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -609,10 +609,10 @@
 ~~ total active/idle flows...: 79/79
 ~~ total timeout flows.......: 13
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6171274 bytes
-~~ total memory freed........: 6171274 bytes
+~~ total memory allocated....: 6170958 bytes
+~~ total memory freed........: 6170958 bytes
 ~~ total allocations/frees...: 122565/122565
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 204 chars
-~~ json string max len.......: 1858 chars
-~~ json string avg len.......: 1031 chars
+~~ json string max len.......: 1856 chars
+~~ json string avg len.......: 1030 chars
diff --git a/test/results/genshin-impact.pcap.out b/test/results/genshin-impact.pcap.out
index 983de3e6e..a006945ef 100644
--- a/test/results/genshin-impact.pcap.out
+++ b/test/results/genshin-impact.pcap.out
@@ -50,8 +50,8 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6052539 bytes
-~~ total memory freed........: 6052539 bytes
+~~ total memory allocated....: 6052515 bytes
+~~ total memory freed........: 6052515 bytes
 ~~ total allocations/frees...: 121630/121630
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/git.pcap.out b/test/results/git.pcap.out
index b6490bde2..d55aafc42 100644
--- a/test/results/git.pcap.out
+++ b/test/results/git.pcap.out
@@ -5,7 +5,7 @@
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1460821630164056,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1460821630221958,"pkt":"PJcOZtCOnJcm0ghCCABFCAA8AABAAC8GnhAFmecVwKgATSTKu3dqwE5VfoYLRaASOJBfrwAAAgQFrAQCCAorjWmrAadIEgEDAwc="}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1460821630222020,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1460821630222020,"pkt":"nJcm0ghCPJcOZtCOCABFAAA0Q1dAAEAGScnAqABNBZnnFbt3JMp+hgtFasBOVoAQAB3G2AAAAQEICgGnSCArjWmr"}
 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630222080,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":69,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1460821630222080,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}}
-01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630544728,"flow_dst_last_pkt_time":1460821630545903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":19825,"midstream":0,"thread_ts_usec":1460821630545903,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":24597.4,"max":99851,"stddev":28614.0,"var":818762240.0,"ent":3.8,"data": [57902,57964,60,56073,43848,99851,54739,54730,537,49455,48900,45519,29,17836,63404,1849,203,2031,860,202,1063,209,208,710,439,1139,50571,205,50785,547,651,0]},"pktlen": {"min":66,"avg":704.9,"max":2946,"stddev":773.9,"var":598945.8,"ent":4.1,"data": [74,74,66,135,66,267,66,962,66,593,66,75,66,74,1506,66,1506,1506,66,1506,1506,66,2946,66,1506,1506,66,1506,1506,66,1506,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}}
+01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630544728,"flow_dst_last_pkt_time":1460821630545903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":19825,"midstream":0,"thread_ts_usec":1460821630545903,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":24597.4,"max":99851,"stddev":28614.0,"var":818762240.0,"ent":3.8,"data": [57902,57964,60,56073,43848,99851,54739,54730,537,49455,48900,45519,29,17836,63404,1849,203,2031,860,202,1063,209,208,710,439,1139,50571,205,50785,547,651]},"pktlen": {"min":66,"avg":704.9,"max":2946,"stddev":773.9,"var":598945.8,"ent":4.1,"data": [74,74,66,135,66,267,66,962,66,593,66,75,66,74,1506,66,1506,1506,66,1506,1506,66,2946,66,1506,1506,66,1506,1506,66,1506,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":90,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":49,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821631220936,"flow_dst_last_pkt_time":1460821631269756,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":67444,"midstream":0,"thread_ts_usec":1460821631269756,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":90,"source":"git.pcap","alias":"nDPId-test","packets-captured":90,"packets-processed":90,"total-skipped-flows":0,"total-l4-payload-len":68049,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1460821631269756}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038255 bytes
-~~ total memory freed........: 6038255 bytes
+~~ total memory allocated....: 6038251 bytes
+~~ total memory freed........: 6038251 bytes
 ~~ total allocations/frees...: 121577/121577
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1715 chars
-~~ json string avg len.......: 1043 chars
+~~ json string max len.......: 1713 chars
+~~ json string avg len.......: 1042 chars
diff --git a/test/results/gnutella.pcap.out b/test/results/gnutella.pcap.out
index 5801dbeb4..250e8aa1b 100644
--- a/test/results/gnutella.pcap.out
+++ b/test/results/gnutella.pcap.out
@@ -1143,10 +1143,10 @@
 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1296,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":267,"flow_packet_id":3,"flow_src_last_pkt_time":99778426,"flow_dst_last_pkt_time":90738015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778426,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0Rs5AAIAGRA0KAAIPyAeb0sRzbs28TEPZAAAAAIAC+vDQzwAAAgQFtAEDAwgBAQQC"}
 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1297,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":286,"flow_packet_id":3,"flow_src_last_pkt_time":99778446,"flow_dst_last_pkt_time":90745561,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778446,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0O4NAAIAGzRIKAAIPTG6ZscSGnFbyaQhuAAAAAIAC+vAmPAAAAgQFtAEDAwgBAQQC"}
 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1298,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":266,"flow_packet_id":3,"flow_src_last_pkt_time":99778471,"flow_dst_last_pkt_time":90737440,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778471,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0gg9AAIAGKkQKAAIPSVn5CMRyxdmnmnGXAAAAAIAC+vCCMAAAAgQFtAEDAwgBAQQC"}
-01866{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":239,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":88704875,"flow_src_last_pkt_time":100541304,"flow_dst_last_pkt_time":100658601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":10762,"midstream":0,"thread_ts_usec":100658601,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"75.133.101.93","src_port":50285,"dst_port":52367,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":68,"avg":767424.4,"max":8796467,"stddev":2113226.8,"var":4465727373312.0,"ent":2.6,"data": [111774,112031,223,580,122233,123811,1735,510239,510348,125373,7027,133055,508500,509079,643423,701863,8737919,8796467,643884,78,644721,118605,2969,121592,121581,84,121516,120907,68,120959,117511,0]},"pktlen": {"min":54,"avg":423.2,"max":1514,"stddev":491.7,"var":241767.6,"ent":4.1,"data": [66,58,54,653,54,666,104,54,367,54,196,437,54,82,54,463,54,100,54,1514,1066,54,654,1502,54,1514,642,54,1514,642,54,654]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
+01864{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":239,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":88704875,"flow_src_last_pkt_time":100541304,"flow_dst_last_pkt_time":100658601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":10762,"midstream":0,"thread_ts_usec":100658601,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"75.133.101.93","src_port":50285,"dst_port":52367,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":68,"avg":767424.4,"max":8796467,"stddev":2113226.8,"var":4465727373312.0,"ent":2.6,"data": [111774,112031,223,580,122233,123811,1735,510239,510348,125373,7027,133055,508500,509079,643423,701863,8737919,8796467,643884,78,644721,118605,2969,121592,121581,84,121516,120907,68,120959,117511]},"pktlen": {"min":54,"avg":423.2,"max":1514,"stddev":491.7,"var":241767.6,"ent":4.1,"data": [66,58,54,653,54,666,104,54,367,54,196,437,54,82,54,463,54,100,54,1514,1066,54,654,1502,54,1514,642,54,1514,642,54,654]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
 01456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1320,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":316,"flow_packet_id":2,"flow_src_last_pkt_time":95784128,"flow_dst_last_pkt_time":100920359,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":100920359,"pkt":"CAAn5uVZUlQAEjUCCABFAALzBEAAAEARxyNeNkJSCgACD\/iVcAkC34d4LkYxAuq77b+oti7DkMaMrEQAAMACAAAGR1RLRwAA+wNHJRwgXbAuWugSpAUSxJsCHL8EXjZCUviVAQAAAAR+IhyrFEdUS0cAAOCbIyHZHrkrYnNgnMXp7j9XkbO8BG2EvGL1g1dTSFIAAPJ8p2NaB+IvDcmOjYwpnv4Dgo0cBBinyTW4skdUS0cAAPLJywhbkrobDN\/JQ6AnuEOyGSGjBLBjsBQYykdUS0cAAPdrnSa2ww\/WjIRLC1ipyWI+KDekBGjurPpb\/FdTSFIAAPUb1vVQWKsuipKs18obx69UnmxtBEftyls+9UdUS0cAAPXAlRBP9j9OpxXVbJllgFo1AUWcBFzZVBBO\/0dUS0cAAPk7PafFnhokmbg2Skj0CN9dtWlxBGDszQeH6kdUS0cAAP2LxejmjNINBLJfc3hRxQZnhG+dBK23t27qEEdUS0cAAMJCPsbCyFi2EKuhIjR8FOxLMgMMBKSEChnYBkdUS0cAAMs4SkQs8Plx39K+G3osYia2QR5gBLnsyIm8DkdUS0cAANFgvV19Qr+DjCD+VI9ncRVX3pcfBLyly75V61dTSFIAANEo391sZyCjuFpU0yy2PWYlrl8ABC1Yddsa\/UdUS0cAANCctnuhx+ItXQPhY9ykozj36PhcBGD2nH7bBkdUS0cAANY8nyC9cCseHTJEnvv8hZLF1GA+BEn6s+1RcEdUS0cAAN60b0CUs3pQ36DSdMP3NoNcDa2fBFOgjzCQrEdUS0cAAKZeyrvsa5mvejLQ38QnOIQ2zbdtBGQB54rc7ldTSFIAAKQeYlqSZYffwoHRlw8bFrfmBFSvBFQcNeGvO1dTSFIAAKr7G8iP9T\/W+jUmPMkpEJiqR57KBMvcaRtLPEdUS0cAAK10JPaTOb0hgYkPVi8cpzY7gtJoBFx1+WIan0dUS0cAALNy1PV19iuZm7NzjEzMA6wUOO22BFJALAsFSA=="}
-01861{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1333,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":238,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":88704150,"flow_src_last_pkt_time":101062565,"flow_dst_last_pkt_time":101062734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":600,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1062,"flow_dst_tot_l4_payload_len":6684,"midstream":0,"thread_ts_usec":101062734,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.156.226.72","src_port":50284,"dst_port":53258,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":797322.6,"max":8218469,"stddev":1970792.9,"var":3884024594432.0,"ent":2.9,"data": [128313,128710,372,938,178629,178799,1,501219,501471,98390,140683,469376,511641,1190983,1233531,8175797,8218469,772334,828075,95677,89547,96875,110099,405396,409608,95445,89124,2830,63380,645,642,0]},"pktlen": {"min":54,"avg":296.6,"max":1078,"stddev":381.8,"var":145784.6,"ent":4.0,"data": [66,58,54,654,54,682,104,54,367,54,588,54,82,54,456,54,100,54,1078,54,1078,54,1078,54,1078,54,1078,54,69,54,64,54]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
-01823{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1370,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":288,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90745963,"flow_src_last_pkt_time":101065402,"flow_dst_last_pkt_time":101065057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":601,"flow_dst_max_l4_payload_len":628,"flow_src_tot_l4_payload_len":1115,"flow_dst_tot_l4_payload_len":1487,"midstream":0,"thread_ts_usec":101065402,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.238.172.250","src_port":50312,"dst_port":23548,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":346,"avg":665759.1,"max":8692014,"stddev":2110974.0,"var":4456211546112.0,"ent":1.9,"data": [30928,31210,439,818,29157,31647,2471,501745,502012,17074,17362,35097,479690,480352,544167,592641,8643736,8692014,619,570,563,598,427,387,461,428,346,360,379,396,439,0]},"pktlen": {"min":54,"avg":135.8,"max":682,"stddev":170.0,"var":28912.7,"ent":4.2,"data": [66,58,54,655,54,682,104,54,367,54,196,384,54,81,54,441,54,108,54,64,54,64,54,64,54,64,54,64,54,64,54,64]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
+01859{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1333,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":238,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":88704150,"flow_src_last_pkt_time":101062565,"flow_dst_last_pkt_time":101062734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":600,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1062,"flow_dst_tot_l4_payload_len":6684,"midstream":0,"thread_ts_usec":101062734,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.156.226.72","src_port":50284,"dst_port":53258,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":797322.6,"max":8218469,"stddev":1970792.9,"var":3884024594432.0,"ent":2.9,"data": [128313,128710,372,938,178629,178799,1,501219,501471,98390,140683,469376,511641,1190983,1233531,8175797,8218469,772334,828075,95677,89547,96875,110099,405396,409608,95445,89124,2830,63380,645,642]},"pktlen": {"min":54,"avg":296.6,"max":1078,"stddev":381.8,"var":145784.6,"ent":4.0,"data": [66,58,54,654,54,682,104,54,367,54,588,54,82,54,456,54,100,54,1078,54,1078,54,1078,54,1078,54,1078,54,69,54,64,54]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
+01821{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1370,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":288,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90745963,"flow_src_last_pkt_time":101065402,"flow_dst_last_pkt_time":101065057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":601,"flow_dst_max_l4_payload_len":628,"flow_src_tot_l4_payload_len":1115,"flow_dst_tot_l4_payload_len":1487,"midstream":0,"thread_ts_usec":101065402,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.238.172.250","src_port":50312,"dst_port":23548,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":346,"avg":665759.1,"max":8692014,"stddev":2110974.0,"var":4456211546112.0,"ent":1.9,"data": [30928,31210,439,818,29157,31647,2471,501745,502012,17074,17362,35097,479690,480352,544167,592641,8643736,8692014,619,570,563,598,427,387,461,428,346,360,379,396,439]},"pktlen": {"min":54,"avg":135.8,"max":682,"stddev":170.0,"var":28912.7,"ent":4.2,"data": [66,58,54,655,54,682,104,54,367,54,196,384,54,81,54,441,54,108,54,64,54,64,54,64,54,64,54,64,54,64,54,64]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
 00732{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":101122346,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":101122346,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"203.220.105.27","src_port":28681,"dst_port":19260,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_packet_id":1,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":101122346,"pkt":"UlQAEjUCCAAn5uVZCABFAABt2AwAAIARIW0KAAIPy9xpG3AJSzwAWVR20YMxAsOjfW6uj7unlpr730QAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAONVJKmT8c3egN9Xa0CwzKQP3iGM"}
 00972{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":101122346,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":101122346,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"203.220.105.27","src_port":28681,"dst_port":19260,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
@@ -1221,8 +1221,8 @@
 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2009,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":311,"flow_packet_id":3,"flow_src_last_pkt_time":116916595,"flow_dst_last_pkt_time":95753158,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116916595,"pkt":"UlQAEjUCCAAn5uVZCABFAABtSkYAAIARukQKAAIPbYS8YnAJ9YMAWSTZAPYxAt0gaIFrQZ34NDjR2kQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"}
 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2010,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":317,"flow_packet_id":3,"flow_src_last_pkt_time":116942486,"flow_dst_last_pkt_time":95892313,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116942486,"pkt":"UlQAEjUCCAAn5uVZCABFAABtkeQAAIARbpkKAAIPYOzNB3AJh+oAWWt89cIxAlSvaqi63PpUHKTx3UQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"}
 00589{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2012,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":316,"flow_packet_id":3,"flow_src_last_pkt_time":116952656,"flow_dst_last_pkt_time":100920359,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116952656,"pkt":"UlQAEjUCCAAn5uVZCABFAABtMigAAIARW8EKAAIPXjZCUnAJ+JUAWdgAXr4xAg\/r1cFsj19qlWaDPkQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"}
-02080{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":333,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":114930255,"flow_src_last_pkt_time":119175893,"flow_dst_last_pkt_time":120208521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":533,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":533,"flow_dst_tot_l4_payload_len":25332,"midstream":0,"thread_ts_usec":120208521,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50327,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":307222.7,"max":1138736,"stddev":463516.9,"var":214847930368.0,"ent":3.3,"data": [108990,109470,822,1560,1123233,14904,1138736,509,4088,37,4418,993404,175,19,291,993807,142,988894,159,41,989074,4759,4845,1004141,96,26,62,1004324,1027632,5162,84,0]},"pktlen": {"min":54,"avg":862.8,"max":1514,"stddev":665.4,"var":442787.6,"ent":4.4,"data": [66,58,54,587,54,848,1514,54,1514,1514,118,54,1514,1514,1514,912,54,54,1514,1514,1514,54,912,54,1514,1514,1514,912,54,1514,1514,1514]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}}
-01864{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2072,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":276,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90742816,"flow_src_last_pkt_time":121143186,"flow_dst_last_pkt_time":117002254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1696,"flow_dst_tot_l4_payload_len":3374,"midstream":0,"thread_ts_usec":121143186,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"188.61.52.183","src_port":50300,"dst_port":11852,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":1827735.8,"max":13801588,"stddev":3934254.5,"var":15478358540288.0,"ent":2.8,"data": [17190,17418,3506,3946,14197,14999,687,2797,2855,25798,49,26144,8990,9323,15893,71757,495574,483536,221196,265159,15579,77266,487598,467678,9468962,9510672,13760964,13801588,1593559,1633954,4140974,0]},"pktlen": {"min":54,"avg":212.9,"max":1514,"stddev":294.0,"var":86413.1,"ent":4.1,"data": [66,58,54,653,54,713,125,54,318,54,1514,194,54,180,54,105,54,233,54,418,54,401,54,521,54,129,54,125,54,190,54,115]},"bins": {"c_to_s": [8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
+02078{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":333,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":114930255,"flow_src_last_pkt_time":119175893,"flow_dst_last_pkt_time":120208521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":533,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":533,"flow_dst_tot_l4_payload_len":25332,"midstream":0,"thread_ts_usec":120208521,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50327,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":307222.7,"max":1138736,"stddev":463516.9,"var":214847930368.0,"ent":3.3,"data": [108990,109470,822,1560,1123233,14904,1138736,509,4088,37,4418,993404,175,19,291,993807,142,988894,159,41,989074,4759,4845,1004141,96,26,62,1004324,1027632,5162,84]},"pktlen": {"min":54,"avg":862.8,"max":1514,"stddev":665.4,"var":442787.6,"ent":4.4,"data": [66,58,54,587,54,848,1514,54,1514,1514,118,54,1514,1514,1514,912,54,54,1514,1514,1514,54,912,54,1514,1514,1514,912,54,1514,1514,1514]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}}
+01862{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2072,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":276,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90742816,"flow_src_last_pkt_time":121143186,"flow_dst_last_pkt_time":117002254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1696,"flow_dst_tot_l4_payload_len":3374,"midstream":0,"thread_ts_usec":121143186,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"188.61.52.183","src_port":50300,"dst_port":11852,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":1827735.8,"max":13801588,"stddev":3934254.5,"var":15478358540288.0,"ent":2.8,"data": [17190,17418,3506,3946,14197,14999,687,2797,2855,25798,49,26144,8990,9323,15893,71757,495574,483536,221196,265159,15579,77266,487598,467678,9468962,9510672,13760964,13801588,1593559,1633954,4140974]},"pktlen": {"min":54,"avg":212.9,"max":1514,"stddev":294.0,"var":86413.1,"ent":4.1,"data": [66,58,54,653,54,713,125,54,318,54,1514,194,54,180,54,105,54,233,54,418,54,401,54,521,54,129,54,125,54,190,54,115]},"bins": {"c_to_s": [8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
 00729{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2082,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":134,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":72852470,"flow_src_last_pkt_time":72852470,"flow_dst_last_pkt_time":72852470,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":121253102,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"78.231.73.14","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2082,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":128,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":72850420,"flow_src_last_pkt_time":72850420,"flow_dst_last_pkt_time":72850420,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":121253102,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"77.141.219.27","src_port":28681,"dst_port":37580,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00728{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2082,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":71540581,"flow_src_last_pkt_time":71540581,"flow_dst_last_pkt_time":71540581,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":121253102,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.23.75.69","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -1312,7 +1312,7 @@
 00588{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2125,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":344,"flow_packet_id":1,"flow_src_last_pkt_time":124090730,"flow_dst_last_pkt_time":124090730,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":124090730,"pkt":"UlQAEjUCCAAn5uVZCABFAABtN+oAAIARg3wKAAIPzyaj5HAJGnoAWUl8GqIxAsDHb8ARC\/TCVyKtTkQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAIek2ZxoyMuuDPvZIwnux4CwuAqS"}
 00971{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2125,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":344,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":124090730,"flow_src_last_pkt_time":124090730,"flow_dst_last_pkt_time":124090730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":124090730,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"207.38.163.228","src_port":28681,"dst_port":6778,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
 01460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2126,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":340,"flow_packet_id":2,"flow_src_last_pkt_time":124066131,"flow_dst_last_pkt_time":124181723,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":124181723,"pkt":"CAAn5uVZUlQAEjUCCABFAALzBkkAAEARxyomjnfqCgACD8JEcAkC3z99SEIxAiBrw4qXLe42xzCJ9UQAAMACAAAGR1RLRwAAjVz9Bf0jf1LZ5zMd\/xsbFCoGHdIEJo536sJEAQAAAAT9X3JyFEdUS0cAAIQFsf+Bv2njsZMOcK5XBzk5Qq3rBN3GzcRRKkdUS0cAAIPPdMtTw3ywAQrcKHskULaFt8T9BFd7NurTckdUS0cAAIBDDfCNVDqFgBWTNBe\/R1a2V7AXBLm7Sq3Q8VdTSFIAAIsML3baZ9qjEzov01XuwUWPp8CvBBiB6TxOFldTSFIAAIgInuBYn2DWNYTpgSOhE3nGOSSqBGLQGpoTgldTSFIAAJMpLUy99S6l5+o3G\/7HZbY0zUPGBFnUW5sUS1NOT1cAAJJLJdecP9uDvZhuUeP7MwcedtuWBM8mo+QaekdUS0cAAJ6Xxzbx1oA8a67zMFTEYzHds+ukBEziVWkYyldTSFIAAJ7Bez1ZQQgPxovuLAykgS8CMrDdBLAKqQox\/0dUS0cAAJp\/6ofTpH0Z7c9sfONgy\/6jjg5ZBFTFYV4FUFdTSFIAAJgFqYyWS9v2Yq4KyYrmzTVJWc5SBGP6\/WMuK0dUS0cAAKZeyrvsa5mvejLQ38QnOIQ2zbdtBGQB54rc7ldTSFIAAKQeYlqSZYffwoHRlw8bFrfmBFSvBFQcNeGvO0dUS0cAAK10JPaTOb0hgYkPVi8cpzY7gtJoBFx1+WIan1dTSFIAAKr7G8iP9T\/W+jUmPMkpEJiqR57KBMvcaRtLPEdUS0cAALd6AZ7svQKtiRxAHRTzpxSemu\/LBNXlb+ATDEdUS0cAALSr6ArQaneMzMJ81PWuqjO12gqLBLV2NdR1LkdUS0cAALNy1PV19iuZm7NzjEzMA6wUOO22BFJALAsFSEdUS0cAALFbZ+HgSIrho0RaGRNTd1qTgMZFBC0fmHBo40dUS0cAAL1cZVAaZZhJTOPlkpw6jfT8aYRtBD\/kr6kHkA=="}
-02112{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2138,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":334,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":114930776,"flow_src_last_pkt_time":123432179,"flow_dst_last_pkt_time":124445371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":538,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":538,"flow_dst_tot_l4_payload_len":22968,"midstream":0,"thread_ts_usec":124445371,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"189.147.72.83","src_port":50328,"dst_port":26108,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42,"avg":581161.2,"max":1214808,"stddev":505873.5,"var":255907954688.0,"ent":4.2,"data": [193649,195345,1788,3675,1208824,5559,69,1214808,993314,122,993548,1040345,116,1040488,1001310,128,1001514,998194,120,998177,1008259,218,1008532,1046807,141,1046873,1000209,118,1000330,1013376,42,0]},"pktlen": {"min":54,"avg":789.1,"max":1514,"stddev":623.9,"var":389219.0,"ent":4.4,"data": [66,58,54,592,54,860,1514,340,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}}
+02110{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2138,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":334,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":114930776,"flow_src_last_pkt_time":123432179,"flow_dst_last_pkt_time":124445371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":538,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":538,"flow_dst_tot_l4_payload_len":22968,"midstream":0,"thread_ts_usec":124445371,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"189.147.72.83","src_port":50328,"dst_port":26108,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42,"avg":581161.2,"max":1214808,"stddev":505873.5,"var":255907954688.0,"ent":4.2,"data": [193649,195345,1788,3675,1208824,5559,69,1214808,993314,122,993548,1040345,116,1040488,1001310,128,1001514,998194,120,998177,1008259,218,1008532,1046807,141,1046873,1000209,118,1000330,1013376,42]},"pktlen": {"min":54,"avg":789.1,"max":1514,"stddev":623.9,"var":389219.0,"ent":4.4,"data": [66,58,54,592,54,860,1514,340,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}}
 00730{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2164,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":126831784,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126831784,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":126831784,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50330,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2164,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_packet_id":1,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126831784,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":126831784,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0bCBAAIAGmjkKAAIPRXai5cSatzq0d6IdAAAAAIAC+vCtSgAAAgQFtAEDAwgBAQQC"}
 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2165,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_packet_id":2,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126943376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":126943376,"pkt":"CAAn5uVZUlQAEjUCCABFAAAsBmMAAEAGf\/9FdqLlCgACD7c6xJoBCaABtHeiHmAS\/\/8wNgAAAgQFtA=="}
@@ -1428,7 +1428,7 @@
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":114,"flow_packet_id":2,"flow_src_last_pkt_time":131673544,"flow_dst_last_pkt_time":71540581,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673544,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0Wk0AAIARMwEKAAIPVhdLRXAJGMoAIGjuR05EED8SAQFUC1FLUlAGUk5BXS\/iNQlw"}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_src_last_pkt_time":131673716,"flow_dst_last_pkt_time":82058208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673716,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0rD4AAIARiPIKAAIPVuOilnAJGMoAIBDQR05EED8TAQFUC1FLUlAGUk5BXS\/iNQlw"}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2267,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":111,"flow_packet_id":2,"flow_src_last_pkt_time":131673854,"flow_dst_last_pkt_time":71540138,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673854,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0JF4AAIARIm4KAAIPWkGNnXAJGMoAICJqR05EED8UAQFUC1FLUlAGUk5BXS\/iNQlw"}
-01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2277,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":93,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":71205274,"flow_src_last_pkt_time":117002547,"flow_dst_last_pkt_time":132821508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":304,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":2420,"midstream":0,"thread_ts_usec":132821508,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"109.214.154.216","src_port":50248,"dst_port":6346,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1091,"avg":3464951.8,"max":22684647,"stddev":6255594.5,"var":39132462055424.0,"ent":3.3,"data": [399865,400165,2576,3065,879170,880284,1091,343284,15848,359592,3003,2180,5087,145122,145627,10048654,10048652,469496,2676,472723,3557750,3604090,6175326,6222212,413766,464528,22633783,22684647,605343,604983,15818919,0]},"pktlen": {"min":54,"avg":152.2,"max":1078,"stddev":217.4,"var":47264.8,"ent":4.2,"data": [66,58,54,358,54,337,157,54,132,776,54,67,72,54,163,54,118,54,1078,59,54,136,54,84,54,227,54,66,54,137,54,76]},"bins": {"c_to_s": [9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
+01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2277,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":93,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":71205274,"flow_src_last_pkt_time":117002547,"flow_dst_last_pkt_time":132821508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":304,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":2420,"midstream":0,"thread_ts_usec":132821508,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"109.214.154.216","src_port":50248,"dst_port":6346,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1091,"avg":3464951.8,"max":22684647,"stddev":6255594.5,"var":39132462055424.0,"ent":3.3,"data": [399865,400165,2576,3065,879170,880284,1091,343284,15848,359592,3003,2180,5087,145122,145627,10048654,10048652,469496,2676,472723,3557750,3604090,6175326,6222212,413766,464528,22633783,22684647,605343,604983,15818919]},"pktlen": {"min":54,"avg":152.2,"max":1078,"stddev":217.4,"var":47264.8,"ent":4.2,"data": [66,58,54,358,54,337,157,54,132,776,54,67,72,54,163,54,118,54,1078,59,54,136,54,84,54,227,54,66,54,137,54,76]},"bins": {"c_to_s": [9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
 00733{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2280,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":353,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":132831233,"flow_src_last_pkt_time":132831233,"flow_dst_last_pkt_time":132831233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":132831233,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"195.181.151.217","src_port":28681,"dst_port":25282,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2280,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":353,"flow_packet_id":1,"flow_src_last_pkt_time":132831233,"flow_dst_last_pkt_time":132831233,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":132831233,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0BqoAAIARzHEKAAIPw7WX2XAJYsIAIGTAR05EED8VAQFUC1FLUlAGUk5BXS\/iNQlw"}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2281,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":138,"flow_packet_id":2,"flow_src_last_pkt_time":132831544,"flow_dst_last_pkt_time":72853189,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":132831544,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0jJMAAIARUAgKAAIPp3KqnHAJXSQAIHPdR05EED8WAQFUC1FLUlAGUk5BXS\/iNQlw"}
@@ -1743,7 +1743,7 @@
 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2959,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":82058413,"flow_src_last_pkt_time":82058413,"flow_dst_last_pkt_time":82058413,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":181645126,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"118.166.226.70","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2959,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":204,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":82065556,"flow_src_last_pkt_time":82065556,"flow_dst_last_pkt_time":82065556,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":181645126,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"84.126.240.32","src_port":28681,"dst_port":45313,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2959,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":202,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":82065172,"flow_src_last_pkt_time":82065172,"flow_dst_last_pkt_time":82065172,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":181645126,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"176.134.139.39","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
-01888{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3028,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":94,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":71205609,"flow_src_last_pkt_time":187576304,"flow_dst_last_pkt_time":187064352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":713,"flow_dst_tot_l4_payload_len":3012,"midstream":0,"thread_ts_usec":187576304,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.208.180.181","src_port":50249,"dst_port":45883,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":276,"avg":7491272.5,"max":55455380,"stddev":14262251.0,"var":203411798622208.0,"ent":3.2,"data": [106993,107336,276,805,178388,179820,1439,41004,98031,375723,432936,10046845,10046768,42293,94463,6595038,6594815,3591919,3643921,39217,93460,24009088,24063297,605105,604823,14641110,23768,14665256,55396943,55455380,453178,0]},"pktlen": {"min":54,"avg":170.9,"max":1119,"stddev":244.6,"var":59812.5,"ent":4.1,"data": [66,58,54,357,54,337,157,54,926,54,163,54,118,54,1119,54,214,54,84,54,203,54,66,54,137,54,78,503,54,64,54,63]},"bins": {"c_to_s": [11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
+01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3028,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":94,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":71205609,"flow_src_last_pkt_time":187576304,"flow_dst_last_pkt_time":187064352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":713,"flow_dst_tot_l4_payload_len":3012,"midstream":0,"thread_ts_usec":187576304,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.208.180.181","src_port":50249,"dst_port":45883,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":276,"avg":7491272.5,"max":55455380,"stddev":14262251.0,"var":203411798622208.0,"ent":3.2,"data": [106993,107336,276,805,178388,179820,1439,41004,98031,375723,432936,10046845,10046768,42293,94463,6595038,6594815,3591919,3643921,39217,93460,24009088,24063297,605105,604823,14641110,23768,14665256,55396943,55455380,453178]},"pktlen": {"min":54,"avg":170.9,"max":1119,"stddev":244.6,"var":59812.5,"ent":4.1,"data": [66,58,54,357,54,337,157,54,926,54,163,54,118,54,1119,54,214,54,84,54,203,54,66,54,137,54,78,503,54,64,54,63]},"bins": {"c_to_s": [11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3065,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":116,"flow_packet_id":2,"flow_src_last_pkt_time":191700213,"flow_dst_last_pkt_time":71540796,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700213,"pkt":"UlQAEjUCCAAn5uVZCABFAAA00HEAAIARI3sKAAIPfCy+kXAJJ7oAIMCGR05EED8oAQFUC1FLUlAGUk5BXS\/iNQlw"}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3066,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":2,"flow_src_last_pkt_time":191700445,"flow_dst_last_pkt_time":82062863,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700445,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0uoEAAIARu5gKAAIPXFhcOHAJUhEAIBhcR05EED8pAQFUC1FLUlAGUk5BXS\/iNQlw"}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3067,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":209,"flow_packet_id":3,"flow_src_last_pkt_time":191700671,"flow_dst_last_pkt_time":82066425,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700671,"pkt":"UlQAEjUCCAAn5uVZCABFAAA06UYAAIARhsYKAAIPW7Ni6nAJGMoAIEuVR05EED8qAQFUC1FLUlAGUk5BXS\/iNQlw"}
@@ -6532,10 +6532,10 @@
 ~~ total active/idle flows...: 801/801
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7672286 bytes
-~~ total memory freed........: 7672286 bytes
+~~ total memory allocated....: 7669082 bytes
+~~ total memory freed........: 7669082 bytes
 ~~ total allocations/frees...: 137208/137208
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 180 chars
-~~ json string max len.......: 2117 chars
-~~ json string avg len.......: 1148 chars
+~~ json string max len.......: 2115 chars
+~~ json string avg len.......: 1147 chars
diff --git a/test/results/google_ssl.pcap.out b/test/results/google_ssl.pcap.out
index d619eb5a0..0abe8a0ad 100644
--- a/test/results/google_ssl.pcap.out
+++ b/test/results/google_ssl.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038505 bytes
-~~ total memory freed........: 6038505 bytes
+~~ total memory allocated....: 6038501 bytes
+~~ total memory freed........: 6038501 bytes
 ~~ total allocations/frees...: 121516/121516
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/googledns_android10.pcap.out b/test/results/googledns_android10.pcap.out
index fa45cb767..9de6efd9c 100644
--- a/test/results/googledns_android10.pcap.out
+++ b/test/results/googledns_android10.pcap.out
@@ -25,7 +25,7 @@
 01167{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826049329,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552826051495,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826080321,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1592552826080321,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01628{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826081468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":2836,"midstream":0,"thread_ts_usec":1592552826081468,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}}}
-01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":80,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552827147738,"flow_dst_last_pkt_time":1592552827146388,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592552827147738,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":99,"avg":71648.9,"max":447414,"stddev":121761.7,"var":14825912320.0,"ent":3.5,"data": [12824,14641,349,14827,16165,1147,99,31089,1039,512,12517,28602,36858,41216,19219,12546,6221,5033,24265,307087,326211,13788,74283,386701,447414,5048,23824,155667,173706,5036,23182,0]},"pktlen": {"min":66,"avg":282.2,"max":1484,"stddev":356.7,"var":127227.7,"ent":4.2,"data": [74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,225,565,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
+01876{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":80,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552827147738,"flow_dst_last_pkt_time":1592552827146388,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592552827147738,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":99,"avg":71648.9,"max":447414,"stddev":121761.7,"var":14825912320.0,"ent":3.5,"data": [12824,14641,349,14827,16165,1147,99,31089,1039,512,12517,28602,36858,41216,19219,12546,6221,5033,24265,307087,326211,13788,74283,386701,447414,5048,23824,155667,173706,5036,23182]},"pktlen": {"min":66,"avg":282.2,"max":1484,"stddev":356.7,"var":127227.7,"ent":4.2,"data": [74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,225,565,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00731{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552827426405,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3}
 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"thread_ts_usec":1592552827426405,"pkt":"EBMx8Tl2ag\/ahpuQCABFAABUl9BAAEAB0IHAqAGfCAgICAgA4JUAAgABem3sXgAAAADqxwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="}
 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552827426405,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":5.297900}}
@@ -41,7 +41,7 @@
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1592552878563796,"flow_dst_last_pkt_time":1592552878562423,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1592552878563796,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA0PO9AAEAGL4LAqAGfCAgEBLviA1WhETzKd2wcRoAQAVeSlgAAAQEICgAAACw7E6h3"}
 01168{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":162,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552878564695,"flow_dst_last_pkt_time":1592552878562423,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552878564695,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01226{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":164,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552878564695,"flow_dst_last_pkt_time":1592552878577421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":147,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":147,"midstream":0,"thread_ts_usec":1592552878577421,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"1249fb68f48c0444718e4d3b48b27188","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552881411235,"flow_dst_last_pkt_time":1592552881429656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1592552881429656,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":185210.9,"max":1253719,"stddev":341703.1,"var":116761001984.0,"ent":3.2,"data": [12746,14119,899,14919,79,14194,1137,19603,19131,13753,1318,58447,651251,714961,3808,23304,1234142,1253719,12532,32716,484043,503710,3783,30780,265369,292430,20267,12603,11759,7400,12615,0]},"pktlen": {"min":66,"avg":212.2,"max":583,"stddev":197.9,"var":39161.3,"ent":4.4,"data": [74,74,66,583,66,213,66,117,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,225,565,66,66,565]},"bins": {"c_to_s": [8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552881411235,"flow_dst_last_pkt_time":1592552881429656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1592552881429656,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":185210.9,"max":1253719,"stddev":341703.1,"var":116761001984.0,"ent":3.2,"data": [12746,14119,899,14919,79,14194,1137,19603,19131,13753,1318,58447,651251,714961,3808,23304,1234142,1253719,12532,32716,484043,503710,3783,30780,265369,292430,20267,12603,11759,7400,12615]},"pktlen": {"min":66,"avg":212.2,"max":583,"stddev":197.9,"var":39161.3,"ent":4.4,"data": [74,74,66,583,66,213,66,117,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,225,565,66,66,565]},"bins": {"c_to_s": [8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00883{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":251,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552828402579,"flow_dst_last_pkt_time":1592552828415412,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":128,"midstream":0,"thread_ts_usec":1592552910946566,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00881{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552828402579,"flow_dst_last_pkt_time":1592552828415412,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":128,"midstream":0,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00884{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1592552824409182,"flow_src_last_pkt_time":1592552826207745,"flow_dst_last_pkt_time":1592552826208808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"DoH_DoT.Google","proto_id":"196.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
@@ -58,7 +58,7 @@
 01168{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":295,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007051414,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592553007088078,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":297,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007118877,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1592553007118877,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01629{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007118996,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":2836,"midstream":0,"thread_ts_usec":1592553007118996,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}}}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":323,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553013061132,"flow_dst_last_pkt_time":1592553013091250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592553013091250,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":78,"avg":389623.4,"max":5703762,"stddev":1387530.2,"var":1925240193024.0,"ent":1.5,"data": [14386,41870,9180,49912,17551,119,78,32502,535,103,15369,30822,15661,19948,22571,85476,5640736,5703762,20528,7552,6167,13685,17563,31103,85377,103703,33240,18803,6257,16181,17586,0]},"pktlen": {"min":66,"avg":282.2,"max":1484,"stddev":356.7,"var":127227.7,"ent":4.2,"data": [74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,565,66,225,66,225,565,66,66,565,66,225,66,225,565,66,66,565]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":323,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553013061132,"flow_dst_last_pkt_time":1592553013091250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592553013091250,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":78,"avg":389623.4,"max":5703762,"stddev":1387530.2,"var":1925240193024.0,"ent":1.5,"data": [14386,41870,9180,49912,17551,119,78,32502,535,103,15369,30822,15661,19948,22571,85476,5640736,5703762,20528,7552,6167,13685,17563,31103,85377,103703,33240,18803,6257,16181,17586]},"pktlen": {"min":66,"avg":282.2,"max":1484,"stddev":356.7,"var":127227.7,"ent":4.2,"data": [74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,565,66,225,66,225,565,66,66,565,66,225,66,225,565,66,66,565]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 01058{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":68,"flow_dst_packets_processed":65,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552996489587,"flow_dst_last_pkt_time":1592552996502369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":5210,"flow_dst_tot_l4_payload_len":14618,"midstream":0,"thread_ts_usec":1592553079303170,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 01063{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":121,"flow_dst_packets_processed":120,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553079303170,"flow_dst_last_pkt_time":1592553079299653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":11059,"flow_dst_tot_l4_payload_len":37798,"midstream":0,"thread_ts_usec":1592553079303170,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00575{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","packets-captured":532,"packets-processed":532,"total-skipped-flows":0,"total-l4-payload-len":97842,"total-not-detected-flows":0,"total-guessed-flows":2,"total-detected-flows":6,"total-detection-updates":9,"total-updates":2,"current-active-flows":0,"total-active-flows":8,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":64,"global_ts_usec":1592553079303170}
@@ -70,10 +70,10 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6098621 bytes
-~~ total memory freed........: 6098621 bytes
+~~ total memory allocated....: 6098589 bytes
+~~ total memory freed........: 6098589 bytes
 ~~ total allocations/frees...: 122160/122160
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
-~~ json string max len.......: 1888 chars
-~~ json string avg len.......: 1195 chars
+~~ json string max len.......: 1886 chars
+~~ json string avg len.......: 1194 chars
diff --git a/test/results/gquic.pcap.out b/test/results/gquic.pcap.out
index 46f1f6d13..734977579 100644
--- a/test/results/gquic.pcap.out
+++ b/test/results/gquic.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046045 bytes
-~~ total memory freed........: 6046045 bytes
+~~ total memory allocated....: 6046041 bytes
+~~ total memory freed........: 6046041 bytes
 ~~ total allocations/frees...: 121508/121508
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/gre_no_options.pcapng.out b/test/results/gre_no_options.pcapng.out
index 2c8e43b50..e3f969fcb 100644
--- a/test/results/gre_no_options.pcapng.out
+++ b/test/results/gre_no_options.pcapng.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035703 bytes
-~~ total memory freed........: 6035703 bytes
+~~ total memory allocated....: 6035699 bytes
+~~ total memory freed........: 6035699 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
diff --git a/test/results/gtp_c.pcap.out b/test/results/gtp_c.pcap.out
index d124e3c94..d47db77fb 100644
--- a/test/results/gtp_c.pcap.out
+++ b/test/results/gtp_c.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035761 bytes
-~~ total memory freed........: 6035761 bytes
+~~ total memory allocated....: 6035757 bytes
+~~ total memory freed........: 6035757 bytes
 ~~ total allocations/frees...: 121491/121491
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/gtp_false_positive.pcapng.out b/test/results/gtp_false_positive.pcapng.out
index d4e0dc887..b6e215c08 100644
--- a/test/results/gtp_false_positive.pcapng.out
+++ b/test/results/gtp_false_positive.pcapng.out
@@ -26,8 +26,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039104 bytes
-~~ total memory freed........: 6039104 bytes
+~~ total memory allocated....: 6039092 bytes
+~~ total memory freed........: 6039092 bytes
 ~~ total allocations/frees...: 121514/121514
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 505 chars
diff --git a/test/results/h323-overflow.pcap.out b/test/results/h323-overflow.pcap.out
index ab0e3ce55..090c4a903 100644
--- a/test/results/h323-overflow.pcap.out
+++ b/test/results/h323-overflow.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037722 bytes
-~~ total memory freed........: 6037722 bytes
+~~ total memory allocated....: 6037718 bytes
+~~ total memory freed........: 6037718 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/h323.pcap.out b/test/results/h323.pcap.out
index d9c2acb91..3e33d5b5f 100644
--- a/test/results/h323.pcap.out
+++ b/test/results/h323.pcap.out
@@ -20,8 +20,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039669 bytes
-~~ total memory freed........: 6039669 bytes
+~~ total memory allocated....: 6039661 bytes
+~~ total memory freed........: 6039661 bytes
 ~~ total allocations/frees...: 121510/121510
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/hangout.pcap.out b/test/results/hangout.pcap.out
index 44fded5b5..4418bd16c 100644
--- a/test/results/hangout.pcap.out
+++ b/test/results/hangout.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6044428 bytes
-~~ total memory freed........: 6044428 bytes
+~~ total memory allocated....: 6044424 bytes
+~~ total memory freed........: 6044424 bytes
 ~~ total allocations/frees...: 121508/121508
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/hpvirtgrp.pcap.out b/test/results/hpvirtgrp.pcap.out
index 4375c06ea..a487d4e4c 100644
--- a/test/results/hpvirtgrp.pcap.out
+++ b/test/results/hpvirtgrp.pcap.out
@@ -71,8 +71,8 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6071044 bytes
-~~ total memory freed........: 6071044 bytes
+~~ total memory allocated....: 6071008 bytes
+~~ total memory freed........: 6071008 bytes
 ~~ total allocations/frees...: 121712/121712
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/hsrp0.pcap.out b/test/results/hsrp0.pcap.out
index 05cc59026..6031cea02 100644
--- a/test/results/hsrp0.pcap.out
+++ b/test/results/hsrp0.pcap.out
@@ -25,8 +25,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040533 bytes
-~~ total memory freed........: 6040533 bytes
+~~ total memory allocated....: 6040517 bytes
+~~ total memory freed........: 6040517 bytes
 ~~ total allocations/frees...: 121517/121517
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/hsrp2.pcap.out b/test/results/hsrp2.pcap.out
index cb040465d..0bf4159d2 100644
--- a/test/results/hsrp2.pcap.out
+++ b/test/results/hsrp2.pcap.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037275 bytes
-~~ total memory freed........: 6037275 bytes
+~~ total memory allocated....: 6037267 bytes
+~~ total memory freed........: 6037267 bytes
 ~~ total allocations/frees...: 121497/121497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/hsrp2_ipv6.pcapng.out b/test/results/hsrp2_ipv6.pcapng.out
index e26f05d04..1dc48f1de 100644
--- a/test/results/hsrp2_ipv6.pcapng.out
+++ b/test/results/hsrp2_ipv6.pcapng.out
@@ -25,8 +25,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038261 bytes
-~~ total memory freed........: 6038261 bytes
+~~ total memory allocated....: 6038253 bytes
+~~ total memory freed........: 6038253 bytes
 ~~ total allocations/frees...: 121531/121531
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/http-crash-content-disposition.pcap.out b/test/results/http-crash-content-disposition.pcap.out
index 8ddb8b1b9..8b9e34737 100644
--- a/test/results/http-crash-content-disposition.pcap.out
+++ b/test/results/http-crash-content-disposition.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036050 bytes
-~~ total memory freed........: 6036050 bytes
+~~ total memory allocated....: 6036046 bytes
+~~ total memory freed........: 6036046 bytes
 ~~ total allocations/frees...: 121502/121502
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 515 chars
diff --git a/test/results/http-lines-split.pcap.out b/test/results/http-lines-split.pcap.out
index ab3656a99..2950b60ec 100644
--- a/test/results/http-lines-split.pcap.out
+++ b/test/results/http-lines-split.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036081 bytes
-~~ total memory freed........: 6036081 bytes
+~~ total memory allocated....: 6036077 bytes
+~~ total memory freed........: 6036077 bytes
 ~~ total allocations/frees...: 121503/121503
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
diff --git a/test/results/http-manipulated.pcap.out b/test/results/http-manipulated.pcap.out
index a86165d6c..0c8872a47 100644
--- a/test/results/http-manipulated.pcap.out
+++ b/test/results/http-manipulated.pcap.out
@@ -11,7 +11,7 @@
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":946729142063151,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":946729142063378,"pkt":"ABjzZLGI0h+5iIqPCABFAAA0AABAAEAGuVjAqAAHwKgAFB+Qg5SNfRmbETdtNIAS+vAp\/QAAAgQFtAEBBAIBAwMG"}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":946729142063387,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":946729142063387,"pkt":"0h+5iIqPABjzZLGICABFAAAosvpAAL4GiGnAqAAUwKgAB4OUH5ARN200jX0ZnFAQAfaBhgAA"}
 01228{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142063498,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946729142063498,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.lan","http": {"url":"www.lan:8080\/aaaaaaaaaaaaaaaaaaaaaaaa_very_long_uri","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:81.0) Gecko\/20100101 Firefox\/81.0","detected_os":"Linux x86_64"}}}
-01795{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142137590,"flow_dst_last_pkt_time":946729142137635,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":5840,"flow_src_tot_l4_payload_len":721,"flow_dst_tot_l4_payload_len":44377,"midstream":0,"thread_ts_usec":946729142137635,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":4804.0,"max":73065,"stddev":17898.4,"var":320351264.0,"ent":1.2,"data": [227,236,111,336,193,414,72850,73065,187,402,51,53,13,9,38,39,116,116,52,52,10,8,43,47,49,47,9,7,46,48,49,0]},"pktlen": {"min":54,"avg":1464.4,"max":5894,"stddev":1938.5,"var":3757919.2,"ent":3.8,"data": [66,66,54,440,60,631,54,389,60,2974,54,4434,54,2974,54,4434,54,1514,54,4434,54,2974,54,4434,54,1514,54,5894,54,5894,54,2974]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01793{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142137590,"flow_dst_last_pkt_time":946729142137635,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":5840,"flow_src_tot_l4_payload_len":721,"flow_dst_tot_l4_payload_len":44377,"midstream":0,"thread_ts_usec":946729142137635,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":4804.0,"max":73065,"stddev":17898.4,"var":320351264.0,"ent":1.2,"data": [227,236,111,336,193,414,72850,73065,187,402,51,53,13,9,38,39,116,116,52,52,10,8,43,47,49,47,9,7,46,48,49]},"pktlen": {"min":54,"avg":1464.4,"max":5894,"stddev":1938.5,"var":3757919.2,"ent":3.8,"data": [66,66,54,440,60,631,54,389,60,2974,54,4434,54,2974,54,4434,54,1514,54,4434,54,2974,54,4434,54,1514,54,5894,54,5894,54,2974]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01034{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":946727901369326,"flow_src_last_pkt_time":946727901370537,"flow_dst_last_pkt_time":946727901370531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":577,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":946729148160196,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33632,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01045{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":156,"flow_dst_packets_processed":162,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729148159974,"flow_dst_last_pkt_time":946729148160196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":29200,"flow_src_tot_l4_payload_len":973,"flow_dst_tot_l4_payload_len":939919,"midstream":0,"thread_ts_usec":946729148160196,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00572{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","packets-captured":328,"packets-processed":328,"total-skipped-flows":0,"total-l4-payload-len":941545,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":946729148160196}
@@ -23,10 +23,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047006 bytes
-~~ total memory freed........: 6047006 bytes
+~~ total memory allocated....: 6046998 bytes
+~~ total memory freed........: 6046998 bytes
 ~~ total allocations/frees...: 121834/121834
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
-~~ json string max len.......: 1800 chars
-~~ json string avg len.......: 1130 chars
+~~ json string max len.......: 1798 chars
+~~ json string avg len.......: 1129 chars
diff --git a/test/results/http-proxy.pcapng.out b/test/results/http-proxy.pcapng.out
index ec694612d..5f3bdc71b 100644
--- a/test/results/http-proxy.pcapng.out
+++ b/test/results/http-proxy.pcapng.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036089 bytes
-~~ total memory freed........: 6036089 bytes
+~~ total memory allocated....: 6036085 bytes
+~~ total memory freed........: 6036085 bytes
 ~~ total allocations/frees...: 121502/121502
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/http_auth.pcap.out b/test/results/http_auth.pcap.out
index 710aeeb3f..bc61f61c1 100644
--- a/test/results/http_auth.pcap.out
+++ b/test/results/http_auth.pcap.out
@@ -5,7 +5,7 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1381844050222515,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1381844050402547,"pkt":"KM\/pITwrTBfruiThCABFAAA8AABAADgGA2jA\/r2pwKgABABQ1EEDZtH9muIxs6ASOJA\/hAAAAgQFtAQCCAowzbX3H38TuAEDAwc="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1381844050402655,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1381844050402655,"pkt":"TBfruiThKM\/pITwrCABFAAA0XSJAAEAGnk3AqAAEwP69qdRBAFCa4jGzA2bR\/oAQICuGBAAAAQEICh9\/FGkwzbX3"}
 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844050402794,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1381844050402794,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"browserspy.dk","http": {"url":"browserspy.dk\/password-ok.php","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36","detected_os":"Intel Mac OS X 10_8_5"}}}
-01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844055865656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057134728,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":405011.4,"max":4861829,"stddev":1193509.9,"var":1424465723392.0,"ent":2.2,"data": [180032,180140,139,193993,206403,1322,401505,596,594,735,724,4027,4555,8666,4603,3019,7560,3303,5323,8621,158972,3971,162953,3627,4243,7859,2612,2607,4861805,4861829,1269016,0]},"pktlen": {"min":66,"avg":640.9,"max":1514,"stddev":665.6,"var":443042.2,"ent":4.2,"data": [78,74,66,805,66,1514,551,66,145,66,288,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,989,66,66,66,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844055865656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057134728,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":405011.4,"max":4861829,"stddev":1193509.9,"var":1424465723392.0,"ent":2.2,"data": [180032,180140,139,193993,206403,1322,401505,596,594,735,724,4027,4555,8666,4603,3019,7560,3303,5323,8621,158972,3971,162953,3627,4243,7859,2612,2607,4861805,4861829,1269016]},"pktlen": {"min":66,"avg":640.9,"max":1514,"stddev":665.6,"var":443042.2,"ent":4.2,"data": [78,74,66,805,66,1514,551,66,145,66,288,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,989,66,66,66,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":19,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844057320871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057320871,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00562{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":18376,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1381844057320871}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036840 bytes
-~~ total memory freed........: 6036840 bytes
+~~ total memory allocated....: 6036836 bytes
+~~ total memory freed........: 6036836 bytes
 ~~ total allocations/frees...: 121526/121526
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 1743 chars
-~~ json string avg len.......: 1067 chars
+~~ json string max len.......: 1741 chars
+~~ json string avg len.......: 1066 chars
diff --git a/test/results/http_connect.pcap.out b/test/results/http_connect.pcap.out
index 2bb2ab7c6..e9844efb7 100644
--- a/test/results/http_connect.pcap.out
+++ b/test/results/http_connect.pcap.out
@@ -16,8 +16,8 @@
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1631454722876748,"flow_dst_last_pkt_time":1631454722876712,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1631454722876748,"pkt":"ACWQX+cTAAwpTU5kCABFAAA0Fy5AAEAGx3LAqAGSl2UChIyAAbsTD57breozroAQAfZcSgAAAQEICgoEV40sPaiU"}
 01079{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722879577,"flow_dst_last_pkt_time":1631454722876712,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631454722879577,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"apache.org","tls": {"version":"TLSv1.2","ja3":"c834494f5948ae026d160656c93c8871","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01124{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722879577,"flow_dst_last_pkt_time":1631454722895566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1384,"midstream":0,"thread_ts_usec":1631454722895566,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"apache.org","tls": {"version":"TLSv1.3","ja3":"c834494f5948ae026d160656c93c8871","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01672{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722915624,"flow_dst_last_pkt_time":1631454722915766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1070,"flow_dst_tot_l4_payload_len":14818,"midstream":0,"thread_ts_usec":1631454722915766,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":3086.0,"max":16011,"stddev":4867.3,"var":23690602.0,"ent":3.4,"data": [8850,8886,2829,11347,7507,16011,65,50,21,19,18,33,7291,458,15010,14,4004,11279,678,666,42,41,26,25,27,27,115,115,31,32,149,0]},"pktlen": {"min":66,"avg":563.0,"max":1450,"stddev":627.7,"var":394029.6,"ent":4.1,"data": [74,74,66,583,66,1450,66,1450,66,1450,66,985,66,130,555,66,66,125,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450]},"bins": {"c_to_s": [13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01703{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722971434,"flow_dst_last_pkt_time":1631454722971505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722971505,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":6924.9,"max":53379,"stddev":12836.3,"var":164771856.0,"ent":3.4,"data": [32,2664,352,3052,9578,12352,2730,16207,17263,6110,7163,474,478,42,22,11387,743,133,163,12593,29,193,4,101,98,705,4022,50186,53379,1210,1208,0]},"pktlen": {"min":54,"avg":813.0,"max":5590,"stddev":1594.6,"var":2542806.2,"ent":3.3,"data": [66,66,60,257,54,130,571,54,5125,60,118,54,224,54,373,54,113,5590,2822,1438,85,60,54,60,5590,1438,963,60,187,54,129,54]},"bins": {"c_to_s": [7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01670{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722915624,"flow_dst_last_pkt_time":1631454722915766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1070,"flow_dst_tot_l4_payload_len":14818,"midstream":0,"thread_ts_usec":1631454722915766,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":3086.0,"max":16011,"stddev":4867.3,"var":23690602.0,"ent":3.4,"data": [8850,8886,2829,11347,7507,16011,65,50,21,19,18,33,7291,458,15010,14,4004,11279,678,666,42,41,26,25,27,27,115,115,31,32,149]},"pktlen": {"min":66,"avg":563.0,"max":1450,"stddev":627.7,"var":394029.6,"ent":4.1,"data": [74,74,66,583,66,1450,66,1450,66,1450,66,985,66,130,555,66,66,125,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450]},"bins": {"c_to_s": [13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722971434,"flow_dst_last_pkt_time":1631454722971505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722971505,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":6924.9,"max":53379,"stddev":12836.3,"var":164771856.0,"ent":3.4,"data": [32,2664,352,3052,9578,12352,2730,16207,17263,6110,7163,474,478,42,22,11387,743,133,163,12593,29,193,4,101,98,705,4022,50186,53379,1210,1208]},"pktlen": {"min":54,"avg":813.0,"max":5590,"stddev":1594.6,"var":2542806.2,"ent":3.3,"data": [66,66,60,257,54,130,571,54,5125,60,118,54,224,54,373,54,113,5590,2822,1438,85,60,54,60,5590,1438,963,60,187,54,129,54]},"bins": {"c_to_s": [7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00904{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1631454722867400,"flow_src_last_pkt_time":1631454722867400,"flow_dst_last_pkt_time":1631454722867500,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":55,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"192.168.1.2","src_port":47767,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00907{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":30,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722977215,"flow_dst_last_pkt_time":1631454722977251,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1701,"flow_dst_tot_l4_payload_len":30951,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":22,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722976969,"flow_dst_last_pkt_time":1631454722977036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1904,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
@@ -30,10 +30,10 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6057516 bytes
-~~ total memory freed........: 6057516 bytes
+~~ total memory allocated....: 6057504 bytes
+~~ total memory freed........: 6057504 bytes
 ~~ total allocations/frees...: 121617/121617
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
-~~ json string max len.......: 1708 chars
-~~ json string avg len.......: 1097 chars
+~~ json string max len.......: 1706 chars
+~~ json string avg len.......: 1096 chars
diff --git a/test/results/http_guessed_host_and_guessed.pcapng.out b/test/results/http_guessed_host_and_guessed.pcapng.out
index 961043c87..829902466 100644
--- a/test/results/http_guessed_host_and_guessed.pcapng.out
+++ b/test/results/http_guessed_host_and_guessed.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037722 bytes
-~~ total memory freed........: 6037722 bytes
+~~ total memory allocated....: 6037718 bytes
+~~ total memory freed........: 6037718 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 516 chars
diff --git a/test/results/http_ipv6.pcap.out b/test/results/http_ipv6.pcap.out
index 899e1b850..db01eeb64 100644
--- a/test/results/http_ipv6.pcap.out
+++ b/test/results/http_ipv6.pcap.out
@@ -20,7 +20,7 @@
 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1448269127960079,"flow_dst_last_pkt_time":1448269127960079,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":260,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":260,"pkt_l4_len":206,"thread_ts_usec":1448269127960079,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAM4RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAsMAgAAAAAAAABf12kBuwDOCoAMj5N114hr41MJBd7sKG9JfODv2KzX0uexKi4OUzkr936AyksmjfKzejWhR1IllABVz6\/Nd8+DDPRvVbNJa4sAljMB\/byd9EnDrnASdvNnincHpyqVPP90d4TSxj+ARZa\/L622T2LNfPxOM6m\/si1ZmPjMCf2wR7DzkfTBciJe2oZugnMhbWbTFVoln8LtSZhpET4oRj3Jk\/IY0Vhm0AHAVNXjHBEt89UVS7Gr6h9OBH5HRJ1TIdTk4GJ40SQl9lgo1l4eCx0="}
 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1448269127960079,"flow_dst_last_pkt_time":1448269128003411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":143,"pkt_l4_len":89,"thread_ts_usec":1448269128003411,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAAFkRMyoAFFBACwwCAAAAAAAAAF8qAA1AAAEAA3qswP\/+pw1MAbvXaQBZLuIAB1nnejc74Zg5YssedTReRP0KRIf1hcs3Aafoe+Tuwy6JT\/77UOdg9PcT9s8XDyyGEBG\/Mph8KZAg9aAfxnp6BrSLMfMbzThg3fGY8Pw0dHA="}
 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1448269128028795,"flow_dst_last_pkt_time":1448269128003411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":99,"pkt_l4_len":45,"thread_ts_usec":1448269128028795,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAC0RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAsMAgAAAAAAAABf12kBuwAtCd8Mj5N114hr41MKZOnBWgR9A+MJ4bypcpF9U29vj07q+fvNp9EO"}
-01805{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1448269127400446,"flow_src_last_pkt_time":1448269137275811,"flow_dst_last_pkt_time":1448269136257808,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4058,"flow_dst_tot_l4_payload_len":4856,"midstream":0,"thread_ts_usec":1448269137275811,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1512,"avg":604281.6,"max":6008829,"stddev":1486148.8,"var":2208638173184.0,"ent":2.8,"data": [25363,26190,172445,219452,15689,87208,38758,110203,47003,1512,26672,45844,1752482,1778725,6798,78256,246614,318052,6008829,6008710,4760,76866,102599,174483,2367,73860,70885,142482,2922,74310,992388,0]},"pktlen": {"min":91,"avg":340.6,"max":1412,"stddev":376.2,"var":141514.9,"ent":4.3,"data": [1412,1412,99,1216,94,674,102,252,94,102,581,102,91,257,94,637,105,102,94,262,91,589,105,263,94,586,102,264,94,561,102,265]},"bins": {"c_to_s": [0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01803{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1448269127400446,"flow_src_last_pkt_time":1448269137275811,"flow_dst_last_pkt_time":1448269136257808,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4058,"flow_dst_tot_l4_payload_len":4856,"midstream":0,"thread_ts_usec":1448269137275811,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1512,"avg":604281.6,"max":6008829,"stddev":1486148.8,"var":2208638173184.0,"ent":2.8,"data": [25363,26190,172445,219452,15689,87208,38758,110203,47003,1512,26672,45844,1752482,1778725,6798,78256,246614,318052,6008829,6008710,4760,76866,102599,174483,2367,73860,70885,142482,2922,74310,992388]},"pktlen": {"min":91,"avg":340.6,"max":1412,"stddev":376.2,"var":141514.9,"ent":4.3,"data": [1412,1412,99,1216,94,674,102,252,94,102,581,102,91,257,94,637,105,102,94,262,91,589,105,263,94,586,102,264,94,561,102,265]},"bins": {"c_to_s": [0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":84,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1448269138575377,"flow_src_last_pkt_time":1448269138575377,"flow_dst_last_pkt_time":1448269138575377,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1448269138575377,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37486,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1448269138575377,"flow_dst_last_pkt_time":1448269138575377,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1448269138575377,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACgGQCoADUAAAQADeqzA\/\/6nDUwqA7DAAAMA0AAAAAAAcBABkm4Bu5jVbXIAAAAAoAJwgGsaAAACBAWgBAIIChINdycAAAAAAQMDBw=="}
 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":85,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1448269138575474,"flow_src_last_pkt_time":1448269138575474,"flow_dst_last_pkt_time":1448269138575474,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1448269138575474,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -105,8 +105,8 @@
 ~~ total active/idle flows...: 15/15
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6148791 bytes
-~~ total memory freed........: 6148791 bytes
+~~ total memory allocated....: 6148731 bytes
+~~ total memory freed........: 6148731 bytes
 ~~ total allocations/frees...: 121897/121897
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/http_on_sip_port.pcap.out b/test/results/http_on_sip_port.pcap.out
index 296d99ede..5b7b40d03 100644
--- a/test/results/http_on_sip_port.pcap.out
+++ b/test/results/http_on_sip_port.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036109 bytes
-~~ total memory freed........: 6036109 bytes
+~~ total memory allocated....: 6036105 bytes
+~~ total memory freed........: 6036105 bytes
 ~~ total allocations/frees...: 121497/121497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
diff --git a/test/results/i3d.pcap.out b/test/results/i3d.pcap.out
index 49307aa68..9e49428a9 100644
--- a/test/results/i3d.pcap.out
+++ b/test/results/i3d.pcap.out
@@ -35,8 +35,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042269 bytes
-~~ total memory freed........: 6042269 bytes
+~~ total memory allocated....: 6042253 bytes
+~~ total memory freed........: 6042253 bytes
 ~~ total allocations/frees...: 121577/121577
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/iax.pcap.out b/test/results/iax.pcap.out
index 065f26771..a1530e8f5 100644
--- a/test/results/iax.pcap.out
+++ b/test/results/iax.pcap.out
@@ -5,7 +5,7 @@
 00852{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005963862,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":66,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":66,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":66,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1123840005963862,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005966035,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1123840005966035,"pkt":"AOCBJ2JwAMDwli5rCABFAAAoV7tAAEARqSfAqAJ4Um4kVBHWEdkAFBwTgBcABAAAAAEAAQYE"}
 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005971132,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1123840005971132,"pkt":"AOCBJ2JwAMDwli5rCABFAAAoV71AAEARqSXAqAJ4Um4kVBHWEdkAFBwJgBcABAAAAAgAAQYH"}
-01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006456930,"flow_dst_last_pkt_time":1123840006059195,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3882,"flow_dst_tot_l4_payload_len":372,"midstream":0,"thread_ts_usec":1123840006456930,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":948,"avg":18980.7,"max":51403,"stddev":10969.1,"var":120322248.0,"ent":4.7,"data": [2173,5097,7653,24399,24352,24724,16912,51403,9638,12261,14097,6869,22758,16765,31325,17887,20048,11489,43190,21320,13940,17067,22553,948,20517,34133,6854,21003,19904,17982,29140,0]},"pktlen": {"min":54,"avg":175.5,"max":214,"stddev":59.5,"var":3538.2,"ent":4.9,"data": [108,54,54,60,54,60,206,214,214,60,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206]},"bins": {"c_to_s": [3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006456930,"flow_dst_last_pkt_time":1123840006059195,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3882,"flow_dst_tot_l4_payload_len":372,"midstream":0,"thread_ts_usec":1123840006456930,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":948,"avg":18980.7,"max":51403,"stddev":10969.1,"var":120322248.0,"ent":4.7,"data": [2173,5097,7653,24399,24352,24724,16912,51403,9638,12261,14097,6869,22758,16765,31325,17887,20048,11489,43190,21320,13940,17067,22553,948,20517,34133,6854,21003,19904,17982,29140]},"pktlen": {"min":54,"avg":175.5,"max":214,"stddev":59.5,"var":3538.2,"ent":4.9,"data": [108,54,54,60,54,60,206,214,214,60,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206]},"bins": {"c_to_s": [3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00902{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":50,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":22,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006472888,"flow_dst_last_pkt_time":1123840006489877,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":4046,"flow_dst_tot_l4_payload_len":3008,"midstream":0,"thread_ts_usec":1123840006489877,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00555{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":50,"source":"iax.pcap","alias":"nDPId-test","packets-captured":50,"packets-processed":50,"total-skipped-flows":0,"total-l4-payload-len":7054,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1123840006489877}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037095 bytes
-~~ total memory freed........: 6037095 bytes
+~~ total memory allocated....: 6037091 bytes
+~~ total memory freed........: 6037091 bytes
 ~~ total allocations/frees...: 121537/121537
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1726 chars
+~~ json string max len.......: 1724 chars
 ~~ json string avg len.......: 1050 chars
diff --git a/test/results/icmp-tunnel.pcap.out b/test/results/icmp-tunnel.pcap.out
index 25d8728f1..a3263d62d 100644
--- a/test/results/icmp-tunnel.pcap.out
+++ b/test/results/icmp-tunnel.pcap.out
@@ -5,7 +5,7 @@
 00977{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227866459330,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":92,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1360227866459330,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":5.703333}}
 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1360227867458100,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1360227867458100,"pkt":"AAwpy+OCAAwpzwzBCABFAABwAABAAEABhDTAqJqDwKiahAgAAAD+\/wAARQAAVAAAQABAASPpCl8BAQpfAQIIAH3tPQgAAi5uE1EKRgYACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"}
 00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1360227868458136,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1360227868458136,"pkt":"AAwpy+OCAAwpzwzBCABFAABwAABAAEABhDTAqJqDwKiahAgAAAD+\/wAARQAAVAAAQABAASPpCl8BAQpfAQIIAD\/sPQgAAy9uE1FHRgYACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"}
-01908{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227888466859,"flow_dst_last_pkt_time":1360227888466987,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":2116,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1360227888466987,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":998770,"avg":1419844.6,"max":13999352,"stddev":2296693.5,"var":5274800750592.0,"ent":4.2,"data": [998770,1000036,1000056,999983,1000051,1000074,1000009,1000032,1000047,1000127,999991,999982,1000043,999922,13999352,1001250,1001214,1000977,1001002,1001107,1001081,1000973,1000923,1000944,1000921,1001115,1001144,1001036,1001015,1001004,1001005,0]},"pktlen": {"min":126,"avg":126.0,"max":126,"stddev":0.0,"var":0.0,"ent":5.0,"data": [126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126]},"bins": {"c_to_s": [0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01906{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227888466859,"flow_dst_last_pkt_time":1360227888466987,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":2116,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1360227888466987,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":998770,"avg":1419844.6,"max":13999352,"stddev":2296693.5,"var":5274800750592.0,"ent":4.2,"data": [998770,1000036,1000056,999983,1000051,1000074,1000009,1000032,1000047,1000127,999991,999982,1000043,999922,13999352,1001250,1001214,1000977,1001002,1001107,1001081,1000973,1000923,1000944,1000921,1001115,1001144,1001036,1001015,1001004,1001005]},"pktlen": {"min":126,"avg":126.0,"max":126,"stddev":0.0,"var":0.0,"ent":5.0,"data": [126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126]},"bins": {"c_to_s": [0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01011{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":104,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":59,"flow_dst_packets_processed":38,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227908233821,"flow_dst_last_pkt_time":1360227908233520,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":852,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":6481,"flow_dst_tot_l4_payload_len":5677,"midstream":0,"thread_ts_usec":1360227908233821,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01011{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":160,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":87,"flow_dst_packets_processed":60,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228057029534,"flow_dst_last_pkt_time":1360228057029101,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":852,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":9088,"flow_dst_tot_l4_payload_len":8105,"midstream":0,"thread_ts_usec":1360228057029534,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01015{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":188,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":99,"flow_dst_packets_processed":72,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228087392773,"flow_dst_last_pkt_time":1360228087392391,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1036,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":14860,"flow_dst_tot_l4_payload_len":13877,"midstream":0,"thread_ts_usec":1360228087392773,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -43,10 +43,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6060672 bytes
-~~ total memory freed........: 6060672 bytes
+~~ total memory allocated....: 6060668 bytes
+~~ total memory freed........: 6060668 bytes
 ~~ total allocations/frees...: 122350/122350
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
-~~ json string max len.......: 1913 chars
-~~ json string avg len.......: 1203 chars
+~~ json string max len.......: 1911 chars
+~~ json string avg len.......: 1202 chars
diff --git a/test/results/iec60780-5-104.pcap.out b/test/results/iec60780-5-104.pcap.out
index 2f251de0b..66ceb2a4d 100644
--- a/test/results/iec60780-5-104.pcap.out
+++ b/test/results/iec60780-5-104.pcap.out
@@ -36,7 +36,7 @@
 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":107,"source":"iec60780-5-104.pcap","alias":"nDPId-test","packets-captured":107,"packets-processed":106,"total-skipped-flows":0,"total-l4-payload-len":343,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":3,"total-active-flows":6,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1219992852463357}
 00919{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":117,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":10,"flow_first_seen":1219992590188368,"flow_src_last_pkt_time":1219992781349438,"flow_dst_last_pkt_time":1219992781349461,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":24,"midstream":0,"thread_ts_usec":1219992910077446,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1572,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":124,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":5,"flow_first_seen":1219992782348776,"flow_src_last_pkt_time":1219992818955088,"flow_dst_last_pkt_time":1219992818955112,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":17,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":6,"midstream":0,"thread_ts_usec":1219992961194617,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1577,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-01793{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219992991664467,"flow_dst_last_pkt_time":1219992991860370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":94,"flow_dst_tot_l4_payload_len":207,"midstream":0,"thread_ts_usec":1219992991860370,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":133,"avg":11085131.0,"max":32516052,"stddev":10877058.0,"var":118310385483776.0,"ent":4.1,"data": [133,283,1182,4289,153898,32516052,32485009,17329020,17462619,171223,19844571,20033163,171510,19860294,20118307,25436246,25352045,204330,19828922,20215237,5341755,5765246,10455867,10671339,13934,15202,139861,131307,218735,19641453,20056039,0]},"pktlen": {"min":54,"avg":65.6,"max":118,"stddev":11.5,"var":132.4,"ent":5.0,"data": [62,62,60,60,60,60,70,60,70,118,60,60,70,60,60,54,70,76,60,60,54,70,60,70,76,70,76,60,77,60,60,54]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01791{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219992991664467,"flow_dst_last_pkt_time":1219992991860370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":94,"flow_dst_tot_l4_payload_len":207,"midstream":0,"thread_ts_usec":1219992991860370,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":133,"avg":11085131.0,"max":32516052,"stddev":10877058.0,"var":118310385483776.0,"ent":4.1,"data": [133,283,1182,4289,153898,32516052,32485009,17329020,17462619,171223,19844571,20033163,171510,19860294,20118307,25436246,25352045,204330,19828922,20215237,5341755,5765246,10455867,10671339,13934,15202,139861,131307,218735,19641453,20056039]},"pktlen": {"min":54,"avg":65.6,"max":118,"stddev":11.5,"var":132.4,"ent":5.0,"data": [62,62,60,60,60,60,70,60,70,118,60,60,70,60,60,54,70,76,60,60,54,70,60,70,76,70,76,60,77,60,60,54]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00922{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":147,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":19,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219993055118751,"flow_dst_last_pkt_time":1219993055118603,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":263,"midstream":0,"thread_ts_usec":1219993055118751,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":147,"source":"iec60780-5-104.pcap","alias":"nDPId-test","packets-captured":147,"packets-processed":147,"total-skipped-flows":0,"total-l4-payload-len":748,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":6,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":41,"global_ts_usec":1219993055118751}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -47,10 +47,10 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6048048 bytes
-~~ total memory freed........: 6048048 bytes
+~~ total memory allocated....: 6048024 bytes
+~~ total memory freed........: 6048024 bytes
 ~~ total allocations/frees...: 121684/121684
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
-~~ json string max len.......: 1798 chars
-~~ json string avg len.......: 1093 chars
+~~ json string max len.......: 1796 chars
+~~ json string avg len.......: 1092 chars
diff --git a/test/results/imap-starttls.pcap.out b/test/results/imap-starttls.pcap.out
index 9e605e2cf..fbefe14bd 100644
--- a/test/results/imap-starttls.pcap.out
+++ b/test/results/imap-starttls.pcap.out
@@ -8,7 +8,7 @@
 01240{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568569894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":271,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":530,"midstream":0,"thread_ts_usec":1437584568570497,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01242{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568767274,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":1990,"midstream":0,"thread_ts_usec":1437584568767274,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01243{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568767550,"flow_dst_last_pkt_time":1437584568769690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":5492,"midstream":0,"thread_ts_usec":1437584568769690,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
-01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":188486.4,"max":1677753,"stddev":378167.8,"var":143010873344.0,"ent":3.3,"data": [189790,189950,188317,188305,133,192463,259,192553,155,186504,9,186418,431,197380,166,197053,2043,207,2163,90,3747,191586,187876,1486951,1677753,168,190848,49,279,1,189432,0]},"pktlen": {"min":54,"avg":249.2,"max":1514,"stddev":424.6,"var":180326.2,"ent":3.7,"data": [78,66,54,325,54,68,60,281,54,66,86,60,54,372,1514,1514,54,1514,636,54,54,180,105,54,93,133,85,54,54,85,54,60]},"bins": {"c_to_s": [15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1]}}
+01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":188486.4,"max":1677753,"stddev":378167.8,"var":143010873344.0,"ent":3.3,"data": [189790,189950,188317,188305,133,192463,259,192553,155,186504,9,186418,431,197380,166,197053,2043,207,2163,90,3747,191586,187876,1486951,1677753,168,190848,49,279,1,189432]},"pktlen": {"min":54,"avg":249.2,"max":1514,"stddev":424.6,"var":180326.2,"ent":3.7,"data": [78,66,54,325,54,68,60,281,54,66,86,60,54,372,1514,1514,54,1514,636,54,54,180,105,54,93,133,85,54,54,85,54,60]},"bins": {"c_to_s": [15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1]}}
 01244{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01274{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":6193,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1437584570828629}
@@ -20,10 +20,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6054969 bytes
-~~ total memory freed........: 6054969 bytes
+~~ total memory allocated....: 6054965 bytes
+~~ total memory freed........: 6054965 bytes
 ~~ total allocations/frees...: 121531/121531
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
-~~ json string max len.......: 1589 chars
-~~ json string avg len.......: 1030 chars
+~~ json string max len.......: 1587 chars
+~~ json string avg len.......: 1029 chars
diff --git a/test/results/imap.pcap.out b/test/results/imap.pcap.out
index 91ee4e8df..6952cbbd3 100644
--- a/test/results/imap.pcap.out
+++ b/test/results/imap.pcap.out
@@ -5,7 +5,7 @@
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1213095262213846,"flow_dst_last_pkt_time":1213095262213972,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1213095262213972,"pkt":"ABUXJM1lAASWJ8g6CABFAAA8VURAAH8GiyQKKAMCCigEAgCPs903+0YNiGqqZqASIAAxdQAAAgQFtAEDAwgEAggKAoc1IAoMNC0="}
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1213095262213996,"flow_dst_last_pkt_time":1213095262213972,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1213095262213996,"pkt":"AASWJ8g6ABUXJM1lCABFAAA0nklAAEAGgScKKAQCCigDArPdAI+IaqpmN\/tGDoAQAC6AFAAAAQEICgoMNC0ChzUg"}
 01025{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":4,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266594138,"flow_dst_last_pkt_time":1213095262264097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":26,"flow_dst_max_l4_payload_len":65,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":1213095266594138,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email","imap": {"user":"samir","password":"pfres","auth_failed":0}}}
-01806{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780228,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780369,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":88,"avg":294609.8,"max":4331408,"stddev":1060070.4,"var":1123749068800.0,"ent":1.4,"data": [126,150,12887,12906,231,444,36852,36794,135,4330018,4331408,1394,16846,17272,39867,39540,93,199,596,39710,39393,88,905,1344,39009,38693,107,104,10836,47768,37190,0]},"pktlen": {"min":66,"avg":115.9,"max":762,"stddev":125.9,"var":15857.5,"ent":4.6,"data": [74,74,66,108,66,85,131,66,98,66,92,93,66,86,87,66,123,66,86,87,66,123,66,87,78,66,325,66,139,178,66,762]},"bins": {"c_to_s": [18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}}
+01804{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780228,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780369,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":88,"avg":294609.8,"max":4331408,"stddev":1060070.4,"var":1123749068800.0,"ent":1.4,"data": [126,150,12887,12906,231,444,36852,36794,135,4330018,4331408,1394,16846,17272,39867,39540,93,199,596,39710,39393,88,905,1344,39009,38693,107,104,10836,47768,37190]},"pktlen": {"min":66,"avg":115.9,"max":762,"stddev":125.9,"var":15857.5,"ent":4.6,"data": [74,74,66,108,66,85,131,66,98,66,92,93,66,86,87,66,123,66,86,87,66,123,66,87,78,66,325,66,139,178,66,762]},"bins": {"c_to_s": [18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}}
 01009{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780387,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780387,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}}
 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":1580,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1213095266780387}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038678 bytes
-~~ total memory freed........: 6038678 bytes
+~~ total memory allocated....: 6038674 bytes
+~~ total memory freed........: 6038674 bytes
 ~~ total allocations/frees...: 121522/121522
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1811 chars
-~~ json string avg len.......: 1091 chars
+~~ json string max len.......: 1809 chars
+~~ json string avg len.......: 1090 chars
diff --git a/test/results/imaps.pcap.out b/test/results/imaps.pcap.out
index 348b5bdf6..cf61c65c7 100644
--- a/test/results/imaps.pcap.out
+++ b/test/results/imaps.pcap.out
@@ -25,8 +25,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6051900 bytes
-~~ total memory freed........: 6051900 bytes
+~~ total memory allocated....: 6051892 bytes
+~~ total memory freed........: 6051892 bytes
 ~~ total allocations/frees...: 121538/121538
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/imo.pcap.out b/test/results/imo.pcap.out
index 0ae9164e5..3d04b8250 100644
--- a/test/results/imo.pcap.out
+++ b/test/results/imo.pcap.out
@@ -10,8 +10,8 @@
 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1646579366870607,"flow_dst_last_pkt_time":1646579366906814,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":43,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":43,"pkt_l4_len":9,"thread_ts_usec":1646579366906814,"pkt":"mt9Y+uvcCL6sCxduCABFAAAd07xAADYRF2ddIS86wKgMqeEEwDcACY7ydg=="}
 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1646579366870607,"flow_dst_last_pkt_time":1646579366927729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1646579366927729,"pkt":"mt9Y+uvcCL6sCxduCABFAACH071AADYRFvxdIS86wKgMqeEEwDcAc11kag0AAJobOdZhqhsqD3t\/ZsLZznm6P+VojS4Ym286bkA4KafGXg3iLF\/wjB8hr6WLuR7MT5lbl5UGnsPZptwcvPKKbJmOyY4TOPC9kAo6L6kDDYE4iSyFwPlyWfdtSAheyL2rRrc\/cATh7Qs="}
 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579366939802,"flow_dst_last_pkt_time":1646579366927729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":10,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":11,"flow_dst_tot_l4_payload_len":108,"midstream":0,"thread_ts_usec":1646579366939802,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":62,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579367998159,"flow_dst_last_pkt_time":1646579367589404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":241,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1646579367998159,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":59559.6,"max":463846,"stddev":120414.4,"var":14499615744.0,"ent":3.2,"data": [36207,20915,69195,11193,10953,10897,11928,60266,17574,7210,47,9880,379036,463846,100219,9477,9867,20901,22,106515,270,209,156,89,19549,7836,19677,23241,7950,3744,407480,0]},"pktlen": {"min":43,"avg":57.0,"max":149,"stddev":23.0,"var":529.8,"ent":4.9,"data": [43,43,149,52,52,52,52,52,52,52,52,52,52,43,142,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52]},"bins": {"c_to_s": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579368878172,"flow_dst_last_pkt_time":1646579368918568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":11806,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1646579368918568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":138459.7,"max":1002796,"stddev":305661.1,"var":93428727808.0,"ent":2.8,"data": [396,41304,49,43405,10843,2151,275,10533,8077,9421,9986,55709,51,24,9743,18469,13472,314,9827,9743,9558,13513,46,69283,127192,99850,16582,835382,861703,1002796,1002553,0]},"pktlen": {"min":52,"avg":433.4,"max":1266,"stddev":488.9,"var":239046.1,"ent":4.2,"data": [242,371,53,160,1266,1266,224,242,1266,1266,1266,1266,122,266,53,1266,52,1266,242,52,52,52,52,53,226,139,361,138,242,53,242,53]},"bins": {"c_to_s": [0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":62,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579367998159,"flow_dst_last_pkt_time":1646579367589404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":241,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1646579367998159,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":59559.6,"max":463846,"stddev":120414.4,"var":14499615744.0,"ent":3.2,"data": [36207,20915,69195,11193,10953,10897,11928,60266,17574,7210,47,9880,379036,463846,100219,9477,9867,20901,22,106515,270,209,156,89,19549,7836,19677,23241,7950,3744,407480]},"pktlen": {"min":43,"avg":57.0,"max":149,"stddev":23.0,"var":529.8,"ent":4.9,"data": [43,43,149,52,52,52,52,52,52,52,52,52,52,43,142,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52]},"bins": {"c_to_s": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579368878172,"flow_dst_last_pkt_time":1646579368918568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":11806,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1646579368918568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":138459.7,"max":1002796,"stddev":305661.1,"var":93428727808.0,"ent":2.8,"data": [396,41304,49,43405,10843,2151,275,10533,8077,9421,9986,55709,51,24,9743,18469,13472,314,9827,9743,9558,13513,46,69283,127192,99850,16582,835382,861703,1002796,1002553]},"pktlen": {"min":52,"avg":433.4,"max":1266,"stddev":488.9,"var":239046.1,"ent":4.2,"data": [242,371,53,160,1266,1266,224,242,1266,1266,1266,1266,122,266,53,1266,52,1266,242,52,52,52,52,53,226,139,361,138,242,53,242,53]},"bins": {"c_to_s": [0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00908{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":37,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579370069590,"flow_dst_last_pkt_time":1646579370091576,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1052,"flow_dst_max_l4_payload_len":1039,"flow_src_tot_l4_payload_len":6713,"flow_dst_tot_l4_payload_len":11506,"midstream":0,"thread_ts_usec":1646579370091576,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00911{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579369944784,"flow_dst_last_pkt_time":1646579369921382,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":12230,"flow_dst_tot_l4_payload_len":731,"midstream":0,"thread_ts_usec":1646579370091576,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00559{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":31180,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1646579370091576}
@@ -23,10 +23,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040173 bytes
-~~ total memory freed........: 6040173 bytes
+~~ total memory allocated....: 6040165 bytes
+~~ total memory freed........: 6040165 bytes
 ~~ total allocations/frees...: 121597/121597
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1738 chars
-~~ json string avg len.......: 1099 chars
+~~ json string max len.......: 1736 chars
+~~ json string avg len.......: 1098 chars
diff --git a/test/results/instagram.pcap.out b/test/results/instagram.pcap.out
index 9f619db34..327420570 100644
--- a/test/results/instagram.pcap.out
+++ b/test/results/instagram.pcap.out
@@ -11,7 +11,7 @@
 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898499269,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720898501130,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01358{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1436720898386781,"flow_dst_last_pkt_time":1436720898551576,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":679,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":679,"pkt_l4_len":645,"thread_ts_usec":1436720898551576,"pkt":"QPMIw47hABsv8H60CABFAAKZ5iRAAFUG\/+kfDV00wKgAZwG7hJCk1JOYiMGTh4AYAE6DfwAAAQEIClpSq5UAA+qLFwMBAmB3TNLiDxMdaG\/77FJR8O6B7ETM5PL1YEwRicjM0iP0UHaAjwUM69tZJRboKPSJSylQ1372woiRMUoGT0dkqivXwS77nykGpDpQxH2zG\/qLmXj10Apbm9mNJzojbuGkVAQeXciVaLovJfxV8pe4ApuOMtqX+wzNa0ZzIxrRfdGy1r+REoc96\/duttzeccU7r8F+0sSj4kAMBptpjPxHIWmQ8bvcQmsOZTBbtWqbInBydwnOzZKHuUG4UpWsNoKQLrxSa1ETAsjugoyEe5PPT8+cb8Irh4mKsNfbStX5KDjpe9Dme8aKUCL1ceYHHjALeMY9l4fx2o0KIF6TukGkzvqR8cZ+qcyDG5U\/HYh5lxYTcHS7lDXS1PzV6XOR41h1cZ9L+KxXE6JczRHCSiNT1VF7boI4Qizj5lEdfdajhSQHOEg16UAhsZHpgK1G5Iki1ek6rdWyUqwchJMZYUThaRdJpKv9RM0OW9cAtKW4cZKenq0TEdOPDEBRCwskRboA6Gi3YnhJ3qdvDGkTLGo9t+FpkGczAZZn4gKC4xoEybQb10OFqFb4BP0BHlc1dmzqbYjWeEKW2wJjaNEaqdUvlusDaKzJPAfd\/FC3qcdqBy6RoP1rw6AWfXgFirXb5SF1IsZGaICO7Vi\/A05NBIj2TN+sAkrMTvlnJxzijI3OS4z\/O7pdS0yJ1AhdM2CbNqiTSP1\/fSWG2i895LYIERx7TAiABxyhh9ufac6WLn1D9wJV86snpuHfJEPWipx7pSJs20IjfVBIUe\/onrcoOjL6GotP95FotxVNOdpbLqczmpv1mQ=="}
 01235{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898646669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1436720898646669,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"acb741bcdffb787c5a52654c78645bdf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}}
-01564{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":136248.2,"max":1572479,"stddev":382122.6,"var":146017665024.0,"ent":2.2,"data": [88898,75897,164978,1522736,1572479,340302,390014,2197,2137,122,91,92,92,91,91,61,61,92,92,61,91,91,61,92,92,29907,29999,733,671,702,672,0]},"pktlen": {"min":66,"avg":682.5,"max":1464,"stddev":663.9,"var":440818.0,"ent":4.2,"data": [1431,66,679,66,1063,66,1464,66,209,66,1464,66,1297,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}}
+01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":136248.2,"max":1572479,"stddev":382122.6,"var":146017665024.0,"ent":2.2,"data": [88898,75897,164978,1522736,1572479,340302,390014,2197,2137,122,91,92,92,91,91,61,61,92,92,61,91,91,61,92,92,29907,29999,733,671,702,672]},"pktlen": {"min":66,"avg":682.5,"max":1464,"stddev":663.9,"var":440818.0,"ent":4.2,"data": [1431,66,679,66,1063,66,1464,66,209,66,1464,66,1297,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}}
 00893{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900684083,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00878{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":326,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":326,"pkt_l4_len":292,"thread_ts_usec":1436720900684083,"pkt":"ABsv8H60QPMIw47hCABFAAE4wXBAAEAGQn\/AqABnLiFGoJegAFCP9SVkp0jV34AYH+olJAAAAQEICgAD63Ga3vWjR0VUIC9ocGhvdG9zLWFrLXhhcDEvdDUxLjI4ODUtMTUvZTM1LzEwODU5OTk0XzEwMDk0MzM3OTI0MzQ0NDdfMTYyNzY0NjA2Ml9uLmpwZz9zZT03IEhUVFAvMS4xDQpIb3N0OiBwaG90b3MtaC5hay5pbnN0YWdyYW0uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBJbnN0YWdyYW0gNy4xLjEgQW5kcm9pZCAoMTkvNC40LjI7IDQ4MGRwaTsgMTA4MHgxOTIwOyBzYW1zdW5nOyBHVC1JOTUwNTsgamZsdGU7IHFjb207IGl0X0lUKQ0KDQo="}
@@ -27,10 +27,10 @@
 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900692262,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900692262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":259,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":259,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900692262,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.185","src_port":57965,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-f.ak.instagram.com","http": {"url":"photos-f.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11424623_1608163109450421_663315883_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}}
 02436{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900716768,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900716768,"pkt":"QPMIw47hABsv8H60CABFAAW+uH1AADkGTewuIUagwKgAZwBQl6CnSNXfj\/UmaIAQAiku5gAAAQEICprfPdsAA+txSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBTYXQsIDExIEp1bCAyMDE1IDE2OjU3OjA4IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTUwMDMxDQpDYWNoZS1Db250cm9sOiBuby10cmFuc2Zvcm0sIG1heC1hZ2U9MTIwOTYwMA0KRXhwaXJlczogU3VuLCAyNiBKdWwgMjAxNSAxNzowODoyMCBHTVQNCkRhdGU6IFN1biwgMTIgSnVsIDIwMTUgMTc6MDg6MjAgR01UDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AfFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABfHAIoAFpGQk1EMjMwMDA5NjkwMTAwMDBjMzQ3MDAwMDEzNjQwMDAwNjM4NDAwMDA4MzJiMDEwMDBiODUwMTAwODdkZjAxMDAwZDRhMDIwMDlkYTIwMjAwNzY3MzAzMDAA\/9sAQwAGBgYGBgYLBgYLEAsLCxAVEBAQEBUbFRUVFRUbIBsbGxsbGyAgICAgICAgJycnJycnLS0tLS0zMzMzMzMzMzMz\/9sAQwEICAgNDA0WDAwWNSQeJDU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1\/8IAEQgEDwQPAwEiAAIRAQMRAf\/EABwAAAEFAQEBAAAAAAAAAAAAAAUBAgMEBgAHCP\/EABoBAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb\/2gAMAwEAAhADEAAAANnYrv6OWePnpwvl4Ucr5ZqutmsxzGNFZbBKECWI2oX8gp+rqOdscgJarTJrPTiAtUZEnHz0qOljcEskD1c01Rksi2ko7C10FaSJqLDY0bkkglRK+J01IqIm99eIL6jmheWgjCKVJUTsjcmxJXNVG3K1KNr3irtvMCithKVbraoq9cQKb5mse+vydpRzhEXinDIvFyoIspSDsdW4LfVORbSFGS9z0Q07Vapihe24SRFCV8D5p7U4fInJNSacY9CnDoLekTpOusTppdQVRUWk5Z3S6nSOaiisOZWrWqtSjFjqVjcxzA+ktxbdV5FmYfOO1PR5O6tOVN6dGCvruavqOenPG2AT0hWptvhfNzvglTijkaS2WB9FlYElvdXcE7qNkc6sYnO6nwWWwvB6cwHJ3BI+Pk7LqzU7SQPCRiRBzWw1M8o9Wr7h8yd2Yes0RUdMne6nInZbXUcjq0gpefEOw6FZdhsSpo1\/NNSRGRwz8KussbUKdHc9LXYK7JQkHbZE9CMRrLHVuCy6tIhIp+ajbOxDZOaN8kM6b52TRosiOmpWqktXN4fR9WcyxQQ3Mi1m1NxKzxO57gjldCOau1Guh6KocxG0s90jNuePlRqSaiqL7xrhlZBD1ROCogrq0VC86jwXI66CmfUcy84e5MlIKemSZRcnZWo5lqOCIVpafMuyjnIKtHOmrjanNWmV0at9VUdlavIty0UHfcNVBHhvASbQRlyCBWndG1xZlpvVXVpuTtPpPHelHPmiqjZJuxJVci8tKRVa6m0Lsg1QJNocO+lKMV1BqVN+Km1zbjrI1P1ZzUr6iNEZRL5ZRw56q6yDgmfWQLsg16ZNg3hkHi+ETQdInbdS4duCJorHU42r7hqMKoMQCnCeAuojkF0F8BRBzhkEpcFpK6im5sQ5GRJU57qi78tptbhTpBzLHQKE7qrwsdX4LS1+Ts9Uc1YWugWOruCfoFCwtRydla3CsLCo7DIlTl6FQm6BQnWuoT9DwSpCoS9DwTdA4JVrqE\/QKOx0ChM6u5EjoeCVY+ZIiIA="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900717195,"flow_dst_last_pkt_time":1436720900716768,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720900717195,"pkt":"ABsv8H60QPMIw47hCABFAAA0wXFAAEAGQ4LAqABnLiFGoJegAFCP9SZop0jbaYAQH+o19wAAAQEICgAD63Sa3z3b"}
-01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900734468,"flow_dst_last_pkt_time":1436720900734651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":36868,"midstream":1,"thread_ts_usec":1436720900734651,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":3256.5,"max":33112,"stddev":8022.9,"var":64366212.0,"ent":2.9,"data": [32685,33112,763,702,1770,2075,61,30,336,366,672,610,610,611,610,641,610,611,10956,1922,1953,366,305,794,1068,458,457,428,824,4059,488,0]},"pktlen": {"min":66,"avg":1226.2,"max":1484,"stddev":538.2,"var":289645.8,"ent":4.8,"data": [326,1484,66,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,66,1484,66,1484,66,1484,1484,1484,1484,1484,1484,66,1484]},"bins": {"c_to_s": [5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900734468,"flow_dst_last_pkt_time":1436720900734651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":36868,"midstream":1,"thread_ts_usec":1436720900734651,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":3256.5,"max":33112,"stddev":8022.9,"var":64366212.0,"ent":2.9,"data": [32685,33112,763,702,1770,2075,61,30,336,366,672,610,610,611,610,641,610,611,10956,1922,1953,366,305,794,1068,458,457,428,824,4059,488]},"pktlen": {"min":66,"avg":1226.2,"max":1484,"stddev":538.2,"var":289645.8,"ent":4.8,"data": [326,1484,66,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,66,1484,66,1484,66,1484,1484,1484,1484,1484,1484,66,1484]},"bins": {"c_to_s": [5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 02434{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900687959,"flow_dst_last_pkt_time":1436720900744752,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900744752,"pkt":"QPMIw47hABsv8H60CABFAAW+u1hAADkGUttSVRqiwKgAZwBQ4lApkhzMOpIM7IAQAku18QAAAQEIClYLL1sAA+txSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBTYXQsIDExIEp1bCAyMDE1IDE2OjMyOjE3IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTEyMjY4DQpEYXRlOiBTdW4sIDEyIEp1bCAyMDE1IDE3OjA4OjIwIEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0xMjA5NjAwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AbFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABPHAIoAEpGQk1EMGYwMDA3NWIwMTAwMDBjZDFlMDAwMDUxNmQwMDAwYTY3YjAwMDBkMzhhMDAwMDQ3MTMwMTAwZDU4MDAxMDA4Y2I2MDEwMAD\/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT\/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT\/wgARCAKAAoADASIAAhEBAxEB\/8QAHQAAAAYDAQAAAAAAAAAAAAAAAAECAwUGBAcICf\/EABsBAAIDAQEBAAAAAAAAAAAAAAABAgMEBQYH\/9oADAMBAAIQAxAAAADRJrP1fOIlpAgZgklAaSWREiWQ0hYBBKMG1GQ0mshINSQNKwDZqISVGBpCiEDBAlSiBIUY0GoAhRgEhRMIlm0hLpRTallISS1AgnEASgbEmowbUamIMzBKgaCCgBEs2NLM2INRiSFhiApTEksNJDhobBqHjA10yQHEiSSgCQoARGYJBhCQZgklkCTCgQThDSSzabMzAkuECSUY0gwJJmbEGogIGpiCWaEBSgbNRAk1hiCcJCDUGkGshpCjEkKVJthagbCzEgKMEmYAjNQICzaaWoAhZmxAUYIUZySQsAQcITZqJSxlGVMgDAJCwCUrCEBQYgwoEBQQkzAJBmxKXSBBmbEAGggowSlYBIcQJKloYRrJCQtLEmsASVhiA4kRGYGQUQkk4AQsEwgswbNZNESw2kzUk2awBJdKQg1KQ2ow0ROkNBOpEk1BhBZtEDMASgCCdCMMwuixAcIEBYE2HEjbNYBBOkNAUoSCWTaTCiKSWBthwkkBZAQUGINwDaCjkkhZobDgBCXDE0pYbQThobDiXEicJjalhNIMCSayBCjAEa0ySQ4QJNQYkzMCJYBBrMEEpQIDokIJwkIUoMSToBClAEGtQkEs0YClHRYk1pBIMwbNQYgnSYgLIEBwkICyYhS0tJCxFthwmkKMASVmhAWbEE4TSQsgIGpNBLIRBQaQayBJOAEBwMQFpAkukCQsAg1kwjMMCVgRGahtk4ASFmDYdSCQtbGjUbRJdAkBZDILMTalGxBqU0hLiYmGDXVNCjMaUrANmsIQlZttqUY2w4RFAcShClECQoCSlwmETgBsKNMgZsSTpAgKSIlGYICyESVkBBYBBqJog4E0E4TEB0gQHA00FqGlLhuKTNQINQJJJZgg1KY2ZpImFGNJLDSTWQIWFASXDBBg5BGoAgOEGEajpmg1hCCcIEEswQl5DSTM00EswQFATalGCCUYJJRg2oGCQsxoSswQow0lLgQhSgCDUGkBYEkOEDYdAIJZgk1ESQpQcUhRsSFGCQZgklgEmZg2pZyEBZgglmMiWQkhRgkOBoicSMiWbSDWGJNQBJOAMAKVVMgYiIUahNE4Y2wsNICwNCXUCIlmDRuGk2S1NsLUYIJwRbZrDSAo00GsmINQEkk="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900745027,"flow_dst_last_pkt_time":1436720900744752,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720900745027,"pkt":"ABsv8H60QPMIw47hCABFAAA00CZAAEAGPJfAqABnUlUaouJQAFA6kgzsKZIiVoAQH3QuLQAAAQEICgAD63dWCy9b"}
-01718{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":161,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900687959,"flow_src_last_pkt_time":1436720900865663,"flow_dst_last_pkt_time":1436720900865785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":253,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":253,"flow_dst_tot_l4_payload_len":22769,"midstream":1,"thread_ts_usec":1436720900865785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":57936,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":11468.7,"max":111969,"stddev":29722.3,"var":883413632.0,"ent":2.3,"data": [56793,57068,1160,977,610,610,428,397,457,457,672,702,1281,1282,1160,1160,488,457,428,458,111480,31,111969,336,1343,61,30,1038,885,793,519,0]},"pktlen": {"min":66,"avg":785.4,"max":1484,"stddev":697.7,"var":486813.2,"ent":4.3,"data": [319,1484,66,1445,66,1484,66,1484,66,1484,66,1484,66,186,66,1484,66,1484,66,1484,66,1484,1484,66,66,1484,1484,1484,66,1484,66,1484]},"bins": {"c_to_s": [14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":161,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900687959,"flow_src_last_pkt_time":1436720900865663,"flow_dst_last_pkt_time":1436720900865785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":253,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":253,"flow_dst_tot_l4_payload_len":22769,"midstream":1,"thread_ts_usec":1436720900865785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":57936,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":11468.7,"max":111969,"stddev":29722.3,"var":883413632.0,"ent":2.3,"data": [56793,57068,1160,977,610,610,428,397,457,457,672,702,1281,1282,1160,1160,488,457,428,458,111480,31,111969,336,1343,61,30,1038,885,793,519]},"pktlen": {"min":66,"avg":785.4,"max":1484,"stddev":697.7,"var":486813.2,"ent":4.3,"data": [319,1484,66,1445,66,1484,66,1484,66,1484,66,1484,66,186,66,1484,66,1484,66,1484,66,1484,1484,66,66,1484,1484,1484,66,1484,66,1484]},"bins": {"c_to_s": [14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 02425{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":179,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900872835,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900872835,"pkt":"QPMIw47hABsv8H60CABFAAW+QeVAADkGzDdSVRq5wKgAZwBQ4m1aOHmGBPBEEYAQAktTqQAAAQEIClnq0tYAA+t6pEVxjNbEsTo05BJiqWC+y9Cm00IuBsqQ3OjXYmls3ooNNijoaA4JvaGXA6WBNFUSNxldWicRkqfSvQ+ysT9n0voZ+EyJR6Oy8JFg5mjiK3jhnpErGpjhG8skeRODdCdQ2MDy8miGRvQk1oSZFhVmGQ28jcag3sVEigomNJgo2R5DYnSdEiIuyPaJg2JvQlTQl7HH2PCFhjS9CYo0RCdlSaY2qVbA7SVlukMk60Nrou0FvVb7YyZLsTJUNNjXYcKjL2NNBHY6YRIqyEsm+g1byhIVtLCoTuULeROaIZSg30H1KXibE4I6MNQaNsuwl6EmkRW2hNPKHVGvY2h4LXCptXgsREUx4KkzYc6itsZrGceuCUwiNvZ0NlpU4bHVgOMeBQT+hXsW4NkxniYRKY0LOGPOuJ3wxvNY30XInTbyUHSrYx3BbGhCWhOLAjiZyQZFUJdjY3cIt4ZOkJvIlCy+hRiRG+RuPBllCy6VrIsIWMN5wEbUZGNRwXYxYMsCZvBM0SI+CRpDbsamyBbROyZoo8CJEl6E9mJ2S8EM3LEKN5FGYSlBs8UdkxmA2mpRC0zPZ7xJ9CwL8H7GJMEIRrTFqwKrYnyiJkSFrOodENU0wTGWNK2jlI9lfZlilokuhJLsxJCYIN4hejdRoOrIspMTJA01hjZUKPFINeESqCUMEQXvhWETJONsmi4g1wbPQfoNvgSpYMGCvY9YNIqvA3SQSmRLI4YPo2XNMYImYP1DY4jPgTTw2RtDTZj2bUhs0VbI6JdDjHkaG0not6KSwmmsQgk2Q2d8EY0NThbnDb6LikplbG2dZcC3WN4yZoyEhYNBej0BWx7I90tpJlyN42ZDbInnJ1C1j9i4ezDdGzUCRBRluhyJbIYWhtD6NOhqmcKFroh5EphFtxoj0LHA27N4EuzbHNiablHlZGpBOsMNmxNFXQsIyISmhtLI00bJ7F+j1S+jDRaWi3vmNnZe2dMzFsHjJciezaGpgnsUwLB9OsnZ3niE9jVXaWBDK2XAvaENk6N0ekQ2O9mkVid2JeCeikitCaY2qSMSexWxPhK4FBtCR+iXk7ssgLA2L0SCdTorMmVWF2XC0NTE0Jx1GuCltCJQTg1LLSyaM2UJLoSF6DFF9Mw9kaL7IKmI4MmxmzPiZWtisp9MNxiCdRNs2PYXFI7EHTI1SpITxUMwngXpkyZLmoTeRzsWCnZ+DfRVtifokzCxuYoykLQuIaLckmHw90WsHeOLnJ84eDeStIr0XApBloXsSFOuGxPJSo9D4JV5INNsaqEnFWmLKwNNiDhZETR+8N0hPQnDfQ9jUeRJC3L2abSUYrSyXKQvTLUJ0TMDXTG22NpLA+h7pbgbPbEFhURZQjQj9GNi+DZGcFGLsjYTTQlYRp28M2yQyxotDecoU0R2IEl2iJYG4illoT0E0yNMauOGKUSPA0mRrZpNHQ9mUtCe8LiDqwZ6FGTD0YCawPKG6VPR1B6om0oVtJszsT2oPLg1iChibE3sd6Emqj9QlcmEXhv0J3fFLW0UaJbG7obENhs2LInSGhYWLA09oR2MwU2WaOiiYyFETeCZiGhtrYmeGRtwUYEs5HJsYE8FFhHQyA82YMmWhvJ+luERPJpCaXRrgavgriCd7HBcZJXUMHg9aNwpE0U5guCZyNlQ8sSjo1kSMsTUUFRQbOhYwhtnKP6SOXI1R12JOnuIeq2VMpZgm+hdg0iYglGUXsWqM1gbLTRccdQh6Ku0exnodIIyzBObLeyzRbgl2MPIvcF+DTaqR8HaG7s1kuabRjJ0TpPR2VPJV7KLKyJPRF0V2DRrKEZhaNsjpZo9uNoKHwaJdi0JwbUojVhqtMTJ4I0NdDcP0bBkIaxSOjsCQm08MyRGoPKyP2uPoVQ="}
 02431{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900873323,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900873323,"pkt":"QPMIw47hABsv8H60CABFAAW+QeZAADkGzDZSVRq5wKgAZwBQ4m1aOH8QBPBEEYAQAktstgAAAQEIClnq0tgAA+t6yOoxEtjJYMe0j6G03geIuahaK1oTHsEliMMTZ8IV3w+jNLnJcKpRQYoNH0Q1owU7ElIg1BvY00M1sKh00GrYYaKmxapIfSuhKlliV5Ggz2ZEdUXqEuURYhcRmGdF6HkVYKkoGKmh3bGvRvDFLCRD9sysMedkSiftieCrscIysGDeGZuR52JNFJwy1gdIqmuE8SC43k2NNmXvnK0LZ7Q9kdYKlspkg9CZoqhXWJtbKpgafXBrJWhOsqdlcjGlMIf02UEyYUEoN\/R3BPJjY2bCG2s0iEvRRNQ+jO4xqKDwyI0ohahosjThi9BIrI7gehuDWUCCJLBXotaGI3Qlg0wJ4IVBKoTow2PA\/UqeR2ILqdQ62OGMraO4hekPhuNoceBSE3cCJmskaK+hP2IZK1kxs+D0NwaUQbYMYurNlQeMoTLYsrBUslTyTGB4bJjIpUh1Csyxlol2o3gucCaI7VzLkaJHRLOOI9DqwQy9GXvictCZRvBROF7M75lwMNqMbA1Q7yIm8GJWsFybGm8jbOi8hKnkr2M2jAtIEustYo61E\/YmmP6L0b3whJbGvRDYcGUzATfFIDVQIw2Oobux01kTo0N6FINdmGBYdKOUophoRJtodkbFVo9gsdiVGqholRuBaWjGKEmDKSSFXnjQZrsSagmHGQ2V6YSOqJlWjZkzB3BjS9mOWLBMSDwqGspicFTSY2vRnKTsOEJT6izJU3UzZMYLFNbFHhcKrhEElmjUHgsGw3eFliqL7LktKtGhuCzshGkdcMxokwNDSEy0x5WRazwkNsaY8bLNjG6JXCGsDRGmNiieYQKFSLNMh9GJBBqDcYmQ\/TLYs4Y5okeCCq6KrROsWRPA\/QgqexNDwJeyORUtLVhijncHacZgTImKglDuKPKPiNMVuBBPFGsVisByZlsa7HsdRZxjrKIyEiLkwMS2JuxPlJTJB8H6bZlkrSN1n4byX0J4EzWxRB5yNNiRbIpUIU6KJCXaHjR8G5KJ9CS9nWBuYG8YG6i9HshCfoTL7I9i9svs2S0igzvAmIqQvhrDHLkQf6KrgpKCatLEWjeRJbOsDeINKDg0ui5F0zaibWWN0bpi9BWZoEHKMpILVMCwVlji1gwwlSnhCVWC+iHqDPofxpWqTM0eNJ2xqh8YRjmCGxosC24xO6HlDsYiabHsVY3Q2j8FwXDnhHTop2I0ZBKKmqh+g1MksMLJUzHQ4tCWBioqFxpAlEhOSDo8Dagmn2S4NI9pDj9P0qphlFmxt9ob7Q4fDeWdIS9mSomrgesCHk9xVyISbeBYZYqOnkRY6Qi+xNoTGi3wtcJ8IdEGuiiJs+CUCzHWBIwyehKjUWCjSYQ2xehJQkV4bmCDSE3ajpBI9MbbKsnYhMqSE6SoSmxVZQz7F7Cxw52a0Oi4wa6G80SyNISCZNs1kTWjAjbEjBSIX0JgVNEej4YLk6FUNkLSpOMieS4G8EdEeg2KpGUxUsEchDaYw1FYKjISLZtH5xdj6MjnZrR0KQaPJCYqtCpZNBN3Ym8GJNCRoeRqPAyVRi2Jvp8EoJ4hRsvRtEZTjFNsRZ6Lg1GM+iyL6KpBqRssXcg5w2Ui1l6HGqjFFnaPpYhNtEfI6Fk9p+jWy+h1jWBucKo6btHQ1cIbLY6jKwI1kTtCe6OF7GyQ+luTvB+OCeRZE8Cjzw\/QQ2lsbbGNL0REErSTiKuDRksFTw2JZIJTbY1oaZGzXwTzsbdEiLmog0Ji7YqmN+hroiag0PQeUVDI9mcQw6G101ZROVMQtGQ7eH6WaIbNDwsDsK10NpNDbcMrspisEOJISYYqTRU0RDqgVWGQxaXIsvmpFmWPDA8JDDqHRSQsC9DYnnBYhpbF9KmJvaYk7Ktm8jfrhZcJnL5r4twNjbk="}
 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1436720900692262,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900873323,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":259,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":259,"flow_dst_tot_l4_payload_len":2836,"midstream":1,"thread_ts_usec":1436720900873323,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.185","src_port":57965,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-f.ak.instagram.com","http": {"url":"photos-f.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11424623_1608163109450421_663315883_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}}
@@ -41,7 +41,7 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1436720901182283,"flow_dst_last_pkt_time":1436720901182283,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720901182283,"pkt":"ABsv8H60QPMIw47hCABFAAA0W\/BAAEAGs3DAqABnTUMdEYS4AFDrYaSj8+woZ4AQH+origAAAQEICgAD66NkobAz"}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":203,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1436720901182466,"flow_dst_last_pkt_time":1436720901182283,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720901182466,"pkt":"ABsv8H60QPMIw47hCABFAAA0W\/FAAEAGs2\/AqABnTUMdEYS4AFDrYaSj8+wze4AQH+origAAAQEICgAD66NkobA0"}
 02444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":204,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1436720901182466,"flow_dst_last_pkt_time":1436720901183137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720901183137,"pkt":"QPMIw47hABsv8H60CABFAAW+nH9AADkGdFdNQx0RwKgAZwBQhLjz7DN762Gko4AQAq9DyQAAAQEICmShsDQAA+ufWEdJBRPnaSmosKHYDmQEyGHV3GAwTrGe5kQxyGEYyxmyELBrJc+SMi3dmmwq1mAYjd9asgZG6SWIbmuecSeibLvJUKPOw0JlNLd+SsFoR4AyWWZMuWzjy22t8lg9nL1yby0j7G5yGHP2UfvrthqhUQLZPhRPRii5ZImLbbxtBh75Nwi10QstpiiOURwgsk\/gse0fhODW3xEaIlCTuwGMxEsajO6KBwgVZE4oD8EZJ8CUI+IftidbAnEAzCB+CxiXeSUkT7I4PLvoy1NnMNCUuGI63ybZNQBpkMtmgmFlmfthxhK9DguCw4XPNprshLbUVoAbHdBaG0WibQPaUDoawN0QnEMFu5OOsEXu+c3ydgozRy0R9FbV0F8hsoSyHLIicGyGMakQqAYSTks8J\/2+\/kORfizOWuAtMcMCSaUPfEY6f\/ttodWXWPLX7bzs5o8i2FH5IZ4wLEpEOhwV2MADYJIWDBmF9CQdn6hh1kzmvWM7b4SuFg+iI0QmrTgRgMl\/rAMZDtwdyKQyk+DPksJTgtrhZZRA\/GY+X2oyKfiboDY0NouOzUthrGCw4ToWxqMKM+rf1sDDAEsjSzJB7rCfcDOwibANVH23SwWhh5rFCY04ksXdhurOKpIBQXzCwN2yHF8S1j2hc2z0kMsCW+OeS+e5HaaRoyzZaCzPNrgnwkhY7i8yZQkeMkH4woSzgHZw7AMoJTs5nD21BiRDuFCBqB4lGX+kk55UTfE62aMJ9jBPBhqltnyYDTEarQKEsWGbVjV7cRHRc\/JgmbZkQlW0YI\/xZdFg6wN2R+J3fOBbBmIcOvB5bIKiWTEFFXRESk7pA\/G3UwXXKB8XDGTJIAkPv49GZuMRZBkC+FhZzCzZ\/iYJh8LIJjV10uzY7Q6E8RpFbyee3Ru25UC5ETbDsFPCaR1ZZC+Qlrsu3Z2QOnm5Ijct96wHLCiQoCUx5CFCGTynRCNjadMyB8tlLRKCwv7KX++dvy1I4Ngs+X8bALTsRQ81XIDydJihBYicmO+O5EykyOu25b+jIYCOXX2WfISuvyX8JiI2GJxqYZEg+OZPoDhxBrn8TYtguClNRehGIQDtqZcwjb\/V86w0sQMOHMZzpnYBjpA8i2eJoGlmik3CQHHMRm8DxLkyFvCZWDFGTUEVI6mHEnfCoaSoN+\/pJIKAlCT4XxDOVC6F8g19jfq1eEJAj0k3u3yFtEJC0DXJolurtJkzJ6y5KHJWSGujZ7ucFS0YjpIoSX0blPAySPJvg33fP2OLma7cQ\/o6PyUHgctick8cobWRNWzIJG3koi8vkKbBIHEMIhdatBUZ40kmN4wtVBz4xoAKljf4v6tXAUt\/sabl0bLkuRE5KikyGgBCbojsrcdwSEGEBomIUFpEl4TvPOqQ8EQF08if3O9FnhnUw2jwQHpaPsw+3EzgNs0zWy6OB623FWGwH7yRctwfDWnw6uSz7AvbHpmHBs+lzanaBkBBq2DLF24dyAfJ1fyW2F8GD9sWLVnjCGZF3EsLst8bQIxxKOwYkoOS2WRsw0xVMJlnywe3Dcc8w+9gQNiBfxyDpYA\/BXzFgEQ3SDtI\/Iov2XBZk1lmPY59tj\/SH+23V5dy\/iiOkLW8UdeiSozNTMFJIdoa309Kn34h+DTnlxZPJVqKRj7du3Uk37CetFC6vFxS2151HHC6aWXemK7B3BpAILjJ\/RL8v0ZA5dOz14w3bAaJWBEg+oUMkesS4WzNnMtGFzWDqZOmcWARMZvW5QUXehDRGok1aYS2VUwcI4nRFkmR4HYk3YsQQ7hbSjts4wBuESi5cIWAPkICk+lgVslThZsIux2ZS+mHik4DwoYI7IF8QlYXTsSiw2By7i5s7AeQhpAzljeQfkQaQPQMK5P3IVCAQHZWMgI="}
-01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":255,"source":"instagram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900690339,"flow_src_last_pkt_time":1436720901257356,"flow_dst_last_pkt_time":1436720901259248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":518,"flow_dst_tot_l4_payload_len":24096,"midstream":1,"thread_ts_usec":1436720901259248,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.186","src_port":44379,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":36642.8,"max":372071,"stddev":92640.3,"var":8582226944.0,"ent":2.3,"data": [185486,185853,397,519,640,61,1434,61,1404,61,580,733,1434,61,310272,372071,63232,2166,2198,336,305,549,427,733,793,580,519,519,519,1007,976,0]},"pktlen": {"min":66,"avg":840.4,"max":1484,"stddev":686.9,"var":471900.1,"ent":4.4,"data": [325,1484,94,1484,1484,94,94,1484,1484,94,94,1484,94,1484,1484,325,1484,66,1484,66,1474,66,1484,66,1484,66,1484,66,1484,66,1484,1484]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0]},"directions": [0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":255,"source":"instagram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900690339,"flow_src_last_pkt_time":1436720901257356,"flow_dst_last_pkt_time":1436720901259248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":518,"flow_dst_tot_l4_payload_len":24096,"midstream":1,"thread_ts_usec":1436720901259248,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.186","src_port":44379,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":36642.8,"max":372071,"stddev":92640.3,"var":8582226944.0,"ent":2.3,"data": [185486,185853,397,519,640,61,1434,61,1404,61,580,733,1434,61,310272,372071,63232,2166,2198,336,305,549,427,733,793,580,519,519,519,1007,976]},"pktlen": {"min":66,"avg":840.4,"max":1484,"stddev":686.9,"var":471900.1,"ent":4.4,"data": [325,1484,94,1484,1484,94,94,1484,1484,94,94,1484,94,1484,1484,325,1484,66,1484,66,1474,66,1484,66,1484,66,1484,66,1484,66,1484,1484]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0]},"directions": [0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720901262544,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00875{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":324,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":324,"pkt_l4_len":290,"thread_ts_usec":1436720901262544,"pkt":"ABsv8H60QPMIw47hCABFAAE2VBZAAEAGt67AqABnUlUamZHmAFCdoJYSxR9Z0oAYDfbnvwAAAQEICgAD66tZ6cc2R0VUIC9ocGhvdG9zLWFrLXhmYTEvdDUxLjI4ODUtMTUvZTM1LzExMjQ4ODI5Xzg1Mzc4MjEyMTM3Mzk3Nl85MDk5MzY5MzRfbi5qcGc\/c2U9NyBIVFRQLzEuMQ0KSG9zdDogcGhvdG9zLWEuYWsuaW5zdGFncmFtLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KVXNlci1BZ2VudDogSW5zdGFncmFtIDcuMS4xIEFuZHJvaWQgKDE5LzQuNC4yOyA0ODBkcGk7IDEwODB4MTkyMDsgc2Ftc3VuZzsgR1QtSTk1MDU7IGpmbHRlOyBxY29tOyBpdF9JVCkNCg0K"}
 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720901262544,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-a.ak.instagram.com","http": {"url":"photos-a.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11248829_853782121373976_909936934_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}}
@@ -75,7 +75,7 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":344,"source":"instagram.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1436720908466005,"flow_dst_last_pkt_time":1436720908518251,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720908518251,"pkt":"QPMIw47hABsv8H60CABFAAA0kN9AAFUGV5QfDV00wKgAZwG7g+MQ445PobbjVYAQANn+UgAAAQEICvAgscMAA+57"}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":345,"source":"instagram.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720908521089,"flow_src_last_pkt_time":1436720908521089,"flow_dst_last_pkt_time":1436720908521089,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720908521089,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38817,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"instagram.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1436720908521089,"flow_dst_last_pkt_time":1436720908521089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720908521089,"pkt":"ABsv8H60QPMIw47hCABFAAA0\/y1AAEAGBcbAqABnLiFGoJehAFBl4Bu99+Pb34ARFTc19wAAAQEICgAD7oGa3vT1"}
-01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":237350.0,"max":7321503,"stddev":1293384.0,"var":1672842313728.0,"ent":0.1,"data": [183,854,1526,2655,488,367,335,397,1495,519,1160,1800,61,31,2258,92,3204,427,3571,1038,549,367,1953,885,885,671,3632,61,4699,183,7321503,0]},"pktlen": {"min":66,"avg":903.3,"max":1484,"stddev":693.1,"var":480370.2,"ent":4.4,"data": [66,66,1484,1484,66,1484,1484,1484,1484,66,66,1484,1484,1484,1484,66,66,1484,1484,66,1484,1484,1484,66,1484,66,1484,1484,1337,66,66,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0]},"directions": [0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0]}}
+01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":237350.0,"max":7321503,"stddev":1293384.0,"var":1672842313728.0,"ent":0.1,"data": [183,854,1526,2655,488,367,335,397,1495,519,1160,1800,61,31,2258,92,3204,427,3571,1038,549,367,1953,885,885,671,3632,61,4699,183,7321503]},"pktlen": {"min":66,"avg":903.3,"max":1484,"stddev":693.1,"var":480370.2,"ent":4.4,"data": [66,66,1484,1484,66,1484,1484,1484,1484,66,66,1484,1484,1484,1484,66,66,1484,1484,66,1484,1484,1484,66,1484,66,1484,1484,1337,66,66,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0]},"directions": [0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0]}}
 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":347,"source":"instagram.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720908523744,"flow_src_last_pkt_time":1436720908523744,"flow_dst_last_pkt_time":1436720908523744,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720908523744,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":51219,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -141,12 +141,12 @@
 01177{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":466,"source":"instagram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720942580781,"flow_src_last_pkt_time":1436720942580781,"flow_dst_last_pkt_time":1436720942580781,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":255,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":255,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":255,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720942580781,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58053,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-g.ak.instagram.com","http": {"url":"photos-g.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11379284_1651416798408214_1525641466_n.jpg","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}}
 02448{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":467,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1436720942530885,"flow_dst_last_pkt_time":1436720942592195,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720942592195,"pkt":"QPMIw47hABsv8H60CABFAAW+MAFAADkG3jJSVRqiwKgAZwBQ4sRSEEyML7VmbIAQAggFiAAAAQEIClYL0tgAA\/vKSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBUaHUsIDA5IEp1bCAyMDE1IDIxOjI4OjQ3IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTE3NzgwDQpEYXRlOiBTdW4sIDEyIEp1bCAyMDE1IDE3OjA5OjAyIEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0xMjA5NjAwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AfFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABfHAIoAFpGQk1EMjMwMDA5NjkwMTAwMDA4NzQ5MDAwMDFlNjAwMDAwZmE3MzAwMDA2M2U0MDAwMGEyMzYwMTAwZTk2MDAxMDAxMmNjMDEwMDdkMTQwMjAwZGE1ZjAyMDAA\/9sAQwAHBwcHBwcMBwcMEQwMDBEXERERERceFxcXFxceJB4eHh4eHiQkJCQkJCQkKysrKysrMjIyMjI4ODg4ODg4ODg4\/9sAQwEJCQkODQ4ZDQ0ZOyghKDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7\/8IAEQgEOAQ4AwEiAAIRAQMRAf\/EABwAAAEFAQEBAAAAAAAAAAAAAAQAAQIDBQYHCP\/EABoBAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb\/2gAMAwEAAhADEAAAAO9N4sXTDu15V0zXWqS6eeKmgreaCCmgg7uEVJBFpoIqbJxUnCLu4QeTiZpSHB3cGdOqZ3QRk7jdJJupIE7IbunTdJ01OMhpJ0O7ON3aSOfwekxeD0uW5b1DncnTsA9NJjtugMD53fqZhIgWgSaAtbEsWQtyzLPTnJhkzlli0uis5Bw7O7irEdfDm7Q3o5VwFjvEUYqlhUYWiOMp6HN4L9xoRfHbOtZDzdIqnt5UkurlUXoRcsXKR16897uavZ1aZJAySBM7AzpAoyQRQgyWmsrLZ1OZUcAMdHNE+Pr4jXWjcf5Yn6n5BjRjQdkY2Ci0j2KtwOa\/UpM3ThJRs3xi0n0mLpwZpOEVJkou7MSd02Z3ZFpOEHkgZ06GTuOLuhNJONJONnSQ6khpJwSdxp0k3SkN0kh3Zxu7STU1Wnghs\/P2jYmxyVZaPV5dg9EEcFEMbREli20VTekwDSyB3KDNbYk3lNtwDNIYAe3by0E+sjys0+hryZgbUO7JtFhyPAtU9x0fnXT5Pe0s8iDQmLcK2RFHXhU6XTyJnQ28l6vzLNitasqL77zvTx19X0ci6zQXnPPdfP7MvnHFT+lsL59dHsm\/89emZV6Rwnnza5jdZxo6r1zovBcxn0zk+Fuz0rN88YOj54WAHVCQZESpRo6asDUEg+pcTzW\/zOv0wrwT2tqjD9I4GWD0GFZpn3V3jttz7jDCvpQgFzWGnoul5+tsu35+PE65+hGeTZlT7uR8ydJvn72\/jvpsaaqz69ctVZ2lpLKT0oqTAk8hxUkhJOCdONJONpJwUoyTdncE6dNSUk25Pb4401KwD+XrjwXoWViQow+4a5bP6vJ0nnR9YKwCs6sKb6awPu58RHXNxxs1uwH0ZoswO2Gbbm0i2IA2jMsDvRdUaULFs2KwzolWtLXv2s7q0nGSLJCq2zNhzG32cRjcZ5mHvkvmnpYZ\/G44avfLzN1IbE7nlky\/T\/MstLZrG1W\/PSfZOu5d\/ArvpDw\/t5uJCKz6NPKChFXSGiq1p59mmZDDhAbKIjC40UhbGFKqLSdOLO4MkkfQh1cJjj+O9GqqPQOf5vU87txCsYGo7vZ879onVefdz8yDmjOv7+Tz\/pFy8v0="}
 02456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":468,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_src_last_pkt_time":1436720942530885,"flow_dst_last_pkt_time":1436720942592409,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720942592409,"pkt":"QPMIw47hABsv8H60CABFAAW+MAJAADkG3jFSVRqiwKgAZwBQ4sRSEFIWL7VmbIAQAghpXgAAAQEIClYL0tgAA\/vKkxiut5qB26Ow9Pj8+yfWMCa4DUGy+Ho3+c5jmKfpvReNdKH0EH5lbcbz+eZjXvWt849W37RLwLcqfYn89ApepLzJrn01eX8qj3x\/Byg9vl4hMftksS8eq4V9yQ9dg87nd3j8t6NPn9HZ78M8\/m15\/SI4iV0+Hr5YZdJFWiriRaANGqKgC2yBU5D1y9AGO5LwC+hZAOnTCa0b8GSfSXc3ZK6AUI8M2\/RlL0N3AaXqkYlae70WFvXE\/MysjfHhicTX059\/nyudDYrqom8O\/SwbXeAYWCl2HDbeHOmh0nFvU+hbHnPQ5vucrmudw17ngsyPVk8VHSYNOA4HAkiaZ9LkB4VlFV6oQoQoqHF7YpwjYwQuo3UsJOh\/RGPbfOPDFikaxDY4DU5OkkXmo2bPofj3YqtI3A2tMe8H5Nt8O55y1B5\/7N5\/Hj7N63x3O1z+g38A6wXb+eEc9NDyaVW6IJldX6R5B6ZmuRoJAaDtPubZt\/FrO\/ofNxI07nn+e9Kt8ed1WPUA43vniOOoe+MdtjoYlp8vJuziWF9ZSfTEwvQuT1MrucEnl3NmPfozec2Q8b4rocvm7XZ0ZulcvKtUOGRAQ4+gnWZDVgPNWhEKtHOpze6ZyDRXdX8BKT0GfAkRXbz40uX19WJqIDO0OmFTszkplJub3z+cPQ\/JvQ6z862sGNz1mVnCXPSY4Ty9OzHqpGSzpKihVIIPNmVKcRNOqLCYDILVVeEY398LgV1vOVI9RE0wT4QEQJpSDAaZU3nNoOD251yCtoLfS5daqb9QCMzcp43dzem6ufhS6Oew6aI6IVlfacgTJtbFeleWXZh0ue8o8\/FVehcsDozfPVyqd2beAaLdw7AEWuPBsy\/NtRo7nK6amwzE7wely5\/Li6bHG7EM3mel42aI9A86edPRMPG0Ly9C4IXGVdSXyWneZ42VsFYuj6kTogdbNyRn62pnUvPuruzMr3A+oweXcoviYt9jgW6815zm+k8\/tAB\/OBUuybA1gvm903GUlLnZS6ZF4KFr24FYdVfxNcHoN\/nFir0ejjdiS\/RN6WHm6VtwnvhPbN\/CPbfkffMXtuX3qjh3relJQiEoMQKEpOyKasJqDId1NjV21hXC6QDvdJEJVO1s\/Q\/zN6OTm8v3oOGonI9l57alQUrkXYpZMcsGthFgcg05VXIYrOJRhIhUfQ\/A63I8zG3eKzunHr8oC2NDAbQaOkGxtKX2WhycdMdrn93jLkKuKz3vZ9JmVLTQZa3BEZ0bqBxVlISUosM18C1LstzjfR8zjgcXvgyeor56XydIvT6GCMTACyMtUrgCKhlE19BSC9tDF2gkO5dOOJom5fPt2VnLbnJsVlaDDEPHHuS8fSny7ebZ3qPK2w9TgzU+rEx8ulpAaNFzDbyos643zk7Ou5p5O+X0FYusqEnp3Q6dbPtiuk0uU14ejc98q24cupIjGzSHlDhtF575ZOO+XSVH4SnEqKawNGGtZiJmIRtjEC5UnTQtnUn51xEfWfPtM8B7b2wbSKwHWlcGMSfEWVosImWLXNObHxqcs3YBBYOiCN6LkB4epBLK0KLAqqCHVFoZN\/S\/La3Ded0EcjPZ3z3AN\/GxrIy9iG8YgvWH1PnkuwzLWQPtqlhubqs540iAhZVVsNHpgy+LaCMldVgpipyGjRNCQdSLo8zK5\/dN6RMPzzXjRmF7eCA9vW05aci1898xYkdUwXtNbK2ik7MtyrTKySLWrnk2azz+9hky9fQzRuXXXQYOOm8sLU6Mz+T6DMig+c38yaBw+rLTxauj59VjG6rUoWWXRciQb8rJMP0s6wZdhrOeI1OpspY+oXQgyBjtBm3CyFWZNgavivsvzz15cAGTDTH0Hz\/1jzPKsrUpltBIzz0jO0ZWIpZqARY="}
-01703{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720942530885,"flow_src_last_pkt_time":1436720942601472,"flow_dst_last_pkt_time":1436720942602785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":23009,"midstream":1,"thread_ts_usec":1436720942602785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58052,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":4596.4,"max":62164,"stddev":15022.2,"var":225667616.0,"ent":2.0,"data": [61310,214,427,62164,336,336,1434,671,916,885,1556,61,61,1618,61,61,1312,92,30,1312,61,92,31,61,519,549,2411,2441,1373,61,31,0]},"pktlen": {"min":66,"avg":793.2,"max":1484,"stddev":693.8,"var":481326.3,"ent":4.3,"data": [326,1484,1484,1475,66,66,66,1484,66,1484,66,1484,1484,1484,66,66,66,1484,1484,1484,66,66,1484,66,66,1484,66,1484,66,396,1484,1484]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720942530885,"flow_src_last_pkt_time":1436720942601472,"flow_dst_last_pkt_time":1436720942602785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":23009,"midstream":1,"thread_ts_usec":1436720942602785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58052,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":4596.4,"max":62164,"stddev":15022.2,"var":225667616.0,"ent":2.0,"data": [61310,214,427,62164,336,336,1434,671,916,885,1556,61,61,1618,61,61,1312,92,30,1312,61,92,31,61,519,549,2411,2441,1373,61,31]},"pktlen": {"min":66,"avg":793.2,"max":1484,"stddev":693.8,"var":481326.3,"ent":4.3,"data": [326,1484,1484,1475,66,66,66,1484,66,1484,66,1484,1484,1484,66,66,66,1484,1484,1484,66,66,1484,66,66,1484,66,1484,66,396,1484,1484]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":541,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950909974,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1398,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950909974,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 02452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":541,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950909974,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"thread_ts_usec":1436720950909974,"pkt":"QPMIw47hABsv8H60CABFAAWqgMlAAFYGaDQfDVY0wKgAZwBQ42ig4vcaLhm0z4AQADsFTwAAAQEIChPCQpUAA\/8J\/RR\/Qw44auNd5sy65M8X7sSNLvesqLPp\/hWIEgj7u\/c3G33+CGWHr5NjTBvseCa33d9vm54JLq\/16uWtfE8LiAl4wMLDP475fV1R18fJlgWHzmvfo5rv8qseyXDb2HUuXqKoKX0JEHYQ4SCsd7x2l6PL5eytk2f\/kmJp\/iODsxx2N\/N4UQwH1r7vqSLq\/y5DElOXzRARZUzbImejgsz5wOzVgeOngfBrQtGX6fL5DmkthCiZgx4mBvjCvzFR0YP1xM0OXv+CShnIqVrP5zMdqJDyzU483pE+34fsEdDMZT4JhGoy\/98gru4qi0lyXyEksrGabld776ByfJIVVp4RivH8YLNUqtpfCVBnMTiA7j\/sfl7slzSCJaM2S8tAkbhjEusFLl75fI1asIxOiRsWcrVhmx\/PbZlpNd4K8\/v2iJLC1YElBY1y9j56WJc0LPwne+0suiyX3kgj3Fb6y+5RCsQCy2EKLdhWRbyLYVKkL4lX1A\/hBl\/EQkdQU6AhwlzHoU9XC8zrf\/sv+pTGiGgMczA3HQL0c6iXziIlynBHwH6WDIGpFhs4sIl7R4Y0SaCPOZA1lnMfjRJoKCOWKLZc4VEiazWUhaMala+ExIJc2XmtrYy\/iRYyo+LY2ytYUtBbJwRglHwtVOPffxRf4sv1nIag0M0miGXxU6GsLdqvokImfUh+1xnyRB2wekFeanQUhm7KU2GNA\/Wut8I6Yh\/BrGK2ISAtFCkh5uw9+EN15dd79TckDZ5M\/1IXL8vqbu\/hTG\/JfucZfR3dz3L3c+OhdygQW8UzKVOFvvFE3uZQnd322DAH7zC3LRHAXbCjqHBmwf2whhpegjLfm6RfL+z+IzmMokA9e2qfVhZ6xYQdwpjxowXA\/a0hFuEIYBqgg2RBxOTW9B0lNexKZj7L7myCIQt5asMs3OULjIFOSJmLxUIk3Q37w4ymEfVUM4Q7YQrd2Q7D7oXQeE3jsBBmSxiRovqahgnBN4hvIeCZZMLY1uvosfkYR3vNLSiHuKZeam\/RFQJomYqTPcrO3yya\/L8n\/bJvfwlRzHWNuu76VGEBOTSmIQrzPwlvzfa91FS9xmltfjK8v2vivjQ79d9wnDovM7E8heMjng\/L76qTSur9Xu++liqI9lESwcV36\/iMv+UhBAvwlNl9yFOXzTHExcfuKxDjy2WcT\/yjID\/XwdhLUHYsgQ9jzrKZiitJYPrb03G\/4eqDHUUFspftslQp6lFXZbtMgT+PtX+iul7L97VDMHXGdwaI8TzZ6\/jXre8vnY2F+CmIZKNEjnJpMB39UHX\/p7\/3FfZpIUwHcB3IlgFw2RAH5dbcIGzC1nhuJYVIQctqJ04wUFMG9bZhr46HZ73BXAQuUhUW68mxXOEcSUvu6IiD4944qVAoG\/m5vfXCzer8TXXbtxGJy\/lJZWKxmuOzEdM\/69tZAld3d7Oi+E\/\/wSXdP1F9r8RHsvFnMaKa\/Gb3fFq120z5cfUI5ObITs4O5x1e\/k2SP4T55SQ1l\/\/E7jbfd3y\/W+K4YanQb4PNdLvnwtOUEVU10v172Jve733E93FYrd8\/r7COigUu\/j7zMkQoWBxC6yXxRL8fBFpX1\/jifjboOb9QR4q79l+S7kBZXF3dpMduttP55\/mpWYFflzvfd\/Hx+Ie9ijit30tVfYliZvDoVqX8Iibo18xmX2SURsTLcDlv6t9hYNRdUnFiX1r9e4\/4uD+iVcRBUU8hc0fHv5tu\/ghpv97F5dOxeZj2CiEjpYqtM2N6y9Ex9X2v34njvtqIprtcVwGtsEjAY8n2yd95fX6LnY6678J3vfovd9+pLl7ZMl\/\/3mgopvtAOiqdmdl8m1KgVxW1IDqxnD5Yq+7jVsvs"}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950910341,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720950910341,"pkt":"ABsv8H60QPMIw47hCABFAAA0TetAAEAGtojAqABnHw1WNONoAFAuGbTPoOL3GoAQH8w2dwAAAQEICgAD\/xATwkKT"}
 02439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":1436720950911439,"flow_dst_last_pkt_time":1436720950910341,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"thread_ts_usec":1436720950911439,"pkt":"QPMIw47hABsv8H60CABFAAWqgMpAAFYGaDMfDVY0wKgAZwBQ42ig4vyQLhm0z4AYADulrQAAAQEIChPCQpYAA\/8JIuSEmFKcHvUO79IuA4AtgLK1ooHfe\/xvCx6EanjcjDye5qfYfg99btIFMlfpEyS0+WXx48YQQIBKyWOQayb5WbhMWSz8Ru7MV\/a5RJtywzl84iv9BLl6PdqXz3kxPZm4yY8HdjILE3vdfyWVN0pVFaKK+f+Osc32N80bLx0naY6\/StT9w4Neeouf2Tn\/vkhhHb5a5vAV9Sx5efQ\/Fatqq174n5ea7v9ir3vf4yK3Pnlx3v3fywdfv\/ld3jdWI6CQY9xByO962aeABxBaD0Ff8vq65YOluUkGW\/xG5p7nyyq1NumgVeaWXPx2O3qpBCTyam4Mj9KNa9CLu77T788mzfZZLswHVfevJGWxpG6er55a4je67Jde+KzsbHfq771q7M2+z\/WWJw+2E3Gv8+Ffd+tBC77nzd2bXmu\/clj6qf9o8rFbG7XiKrvvv6XxVyXfvsflY+OxHlh7gk3Z3+CHdjx7fieVi8bxm781fQKvN8eNlagx6Pt3\/NOSAfXLBsZ085Sli5c\/HVLg4fEITYcZuYfT1VtMLoUR\/it2aocyhvwSZMTvD5t065r2N7JUsZycS8vq283r4S3bSl8\/xBhG2Ci5YyWnWnN8pxV7z+JfURJd7rip6XefL+Ju6T2Uxe8n5uUueW8j7FWxyhWWeGt2YWoIb6BgT6P7uCHnx\/HwXcNPzZiXBYPY6liIwioP5BO9O7zdXvrl6Ju71WJu93dF9e+W764JLl\/1aJkh+a8yX4S4lMe7dI+73eX7WiDQUaZve75ZfLkLUJX2tpOX0s4hxEi8nbq2h\/\/mvflq9RBfYRrfTdMUcVv5e78i9rwQyT\/Sl\/1zQY9T8g\/Uty51S6PL8o6JLB8VrQkT8ugJnmu83Eyez2e5Qy1+W7Aw4JHINbEb3Lj395YP7YvjhcMBXfvXJ44Z+Ixmnuj5fXvqryZ8aIvNfJRrTESolEZ4VaoKtE96vFFfwld9u321frxC3vvk10K23e7KuXiuSPeX78kEfFYr7eXpJxFpezOY6TshceqnnmzDJNaHyWEjeK+xtg7siFQxNUarW6raVTT\/fwlt3m1+qIhVuJsRCxFdbFXtQf9\/RdIuTCv1R7IUVly5mtgVW\/5h5d378ta7e\/5QkWm71LXLL\/Y\/yuCATBPFbu75ZM1tF4Xr2urFPeZ1jp6PYqu0ysRtkUSKOnvSvJ9F0HEq\/Rr4RDbTxd+7uU\/Q0X5NSa4riJq7\/YqaIUW4dNr2MWX30vRqr09mqvna6y\/VdiohYPHuWzpM\/5V791hHspd591pkzSvTJiOetcEmlGTx05fm5r+E5WPIYg3+Ld5OiDJCb38Xd9ysF92RKCKwntddXfaT3LP\/4K7yaDr4HbV6D7vh8Ru7u\/ShH0gWZxKK93e\/u7nhshKX\/8u99ZHz6WcFOZh7FbiudjfLamk58fUJd3H2j6sTr\/E4xQhYhPxokXSHH53b6EIn4I8kGvoiAAQAAAAAAACAYAavAAAAAgECXIEAAAAAAAAAAAAAAAACAAWcAAAAZwAAAAUAAQABAAAAAIBgBrAAAAACAQJcAQAAAAAAAAAAAAAAAAIABZwAAABnAAAFoQABAAEAAAAAgGAGsQAAAAIBAlwBAAAAAAAAAAAAAAAAAgAFnAAAAGcAAAs9AAEAAQAAAACA4AayAAAAAgECXEEAAAAAAAAAAAAAAAACAAFNAAAAZwAAENkAAQABARggBwEYIAcAABVgQZrjwgqFiDcfxdYWFjNTGhc\/+kWorCzCP06aQacK5fU3p2bDv4QjGkzRtJEnNbVPk\/10ykQi0ZJ4s6VFQ2Ko59C0bD2u1KUtTyS\/\/DlRe1HhoMlOd6CAkkRYQkwPPOx2Ho6SCe9GzaPNROS+"}
-01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":853.5,"max":2198,"stddev":594.0,"var":352792.4,"ent":4.6,"data": [367,1465,1587,519,458,824,1465,61,30,1648,2198,2075,366,213,641,367,1312,1678,488,214,610,641,1037,1679,336,488,915,794,335,977,672,0]},"pktlen": {"min":66,"avg":983.4,"max":1464,"stddev":664.0,"var":440886.1,"ent":4.5,"data": [1464,66,1464,66,1464,1464,66,1464,1464,1464,66,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]}}
+01553{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":853.5,"max":2198,"stddev":594.0,"var":352792.4,"ent":4.6,"data": [367,1465,1587,519,458,824,1465,61,30,1648,2198,2075,366,213,641,367,1312,1678,488,214,610,641,1037,1679,336,488,915,794,335,977,672]},"pktlen": {"min":66,"avg":983.4,"max":1464,"stddev":664.0,"var":440886.1,"ent":4.5,"data": [1464,66,1464,66,1464,1464,66,1464,1464,1464,66,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]}}
 00915{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"HTTP.Facebook","proto_id":"7.119","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","http": {}}}
 00916{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"HTTP.Facebook","proto_id":"7.119","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","http": {}}}
 00877{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":644,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1436720908464754,"flow_src_last_pkt_time":1436720911139558,"flow_dst_last_pkt_time":1436720908464754,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":340,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720951306703,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"192.168.0.103","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -164,7 +164,7 @@
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952563081,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952563081,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":27124,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1436720952563081,"pkt":"ABsv8H60QPMIw47hCABFAABH\/7VAAEARadHAqABnCAgICGn0ADUAM87BrqQBAAABAAAAAAAACHBob3Rvcy1iAmFrCWluc3RhZ3JhbQNjb20AAAEAAQ=="}
 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952563081,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952563081,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":27124,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Instagram","proto_id":"5.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-b.ak.instagram.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-01553{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":1290.6,"max":3846,"stddev":1167.1,"var":1362190.6,"ent":4.3,"data": [122,2106,427,3387,31,3174,2289,427,946,1892,213,2563,1831,3785,61,3846,183,1342,1312,367,183,213,275,519,519,885,854,2075,2106,2014,61,0]},"pktlen": {"min":66,"avg":819.3,"max":1484,"stddev":707.6,"var":500717.4,"ent":4.3,"data": [1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,1484]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0]}}
+01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":1290.6,"max":3846,"stddev":1167.1,"var":1362190.6,"ent":4.3,"data": [122,2106,427,3387,31,3174,2289,427,946,1892,213,2563,1831,3785,61,3846,183,1342,1312,367,183,213,275,519,519,885,854,2075,2106,2014,61]},"pktlen": {"min":66,"avg":819.3,"max":1484,"stddev":707.6,"var":500717.4,"ent":4.3,"data": [1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,1484]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0]}}
 00901{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00902{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":737,"source":"instagram.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952611482,"flow_src_last_pkt_time":1436720952611482,"flow_dst_last_pkt_time":1436720952611482,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952611482,"l3_proto":"ip4","src_ip":"46.33.70.150","dst_ip":"192.168.0.103","src_port":80,"dst_port":40855,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -177,7 +177,7 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":747,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1568796253784713,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1568796253784713,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGAsrAqAIRHw1WNMDLAbuZigak9a8KwoAQCAwKkgAAAQEICg1wcq86Lg6w"}
 01124{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":748,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253784771,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796253784771,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.2","ja3":"7a29c223fb122ec64d10f0a159e07996","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
 01176{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":750,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253784771,"flow_dst_last_pkt_time":1568796253798864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1568796253798864,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"7a29c223fb122ec64d10f0a159e07996","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
-01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":776,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253821857,"flow_dst_last_pkt_time":1568796253819210,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":498,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":784,"flow_dst_tot_l4_payload_len":17805,"midstream":0,"thread_ts_usec":1568796253821857,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":3252.7,"max":16760,"stddev":5626.7,"var":31659210.0,"ent":3.3,"data": [12399,14597,58,14624,1725,26,7,16760,58,2044,498,16542,723,227,12497,604,464,936,285,275,177,245,128,170,272,201,2390,75,1564,117,147,0]},"pktlen": {"min":66,"avg":647.5,"max":1454,"stddev":640.4,"var":410152.9,"ent":4.2,"data": [78,74,66,288,66,1454,1454,369,66,66,130,564,259,696,89,66,1454,1454,66,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66]},"bins": {"c_to_s": [11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01703{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":776,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253821857,"flow_dst_last_pkt_time":1568796253819210,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":498,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":784,"flow_dst_tot_l4_payload_len":17805,"midstream":0,"thread_ts_usec":1568796253821857,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":3252.7,"max":16760,"stddev":5626.7,"var":31659210.0,"ent":3.3,"data": [12399,14597,58,14624,1725,26,7,16760,58,2044,498,16542,723,227,12497,604,464,936,285,275,177,245,128,170,272,201,2390,75,1564,117,147]},"pktlen": {"min":66,"avg":647.5,"max":1454,"stddev":640.4,"var":410152.9,"ent":4.2,"data": [78,74,66,288,66,1454,1454,369,66,66,130,564,259,696,89,66,1454,1454,66,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66]},"bins": {"c_to_s": [11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2070,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796254514906,"flow_dst_last_pkt_time":1568796254514906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796254514906,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2070,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1568796254514906,"flow_dst_last_pkt_time":1568796254514906,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1568796254514906,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGAr7AqAIRHw1WNMDNAbsBxqpOAAAAALAC\/\/8NqAAAAgQFtAEDAwYBAQgKDXB1TAAAAAAEAgAA"}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2071,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254515573,"flow_dst_last_pkt_time":1568796254515573,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796254515573,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -196,8 +196,8 @@
 01176{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2088,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796254529128,"flow_dst_last_pkt_time":1568796254539971,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":1016,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254539971,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2092,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254531371,"flow_dst_last_pkt_time":1568796254543357,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":529,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":948,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254543357,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2098,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254539348,"flow_dst_last_pkt_time":1568796254551766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":513,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":932,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254551766,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
-01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2163,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254710630,"flow_dst_last_pkt_time":1568796254725634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1587,"flow_dst_tot_l4_payload_len":13458,"midstream":0,"thread_ts_usec":1568796254725634,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12492.0,"max":158859,"stddev":36696.7,"var":1346645888.0,"ent":2.3,"data": [12015,14119,556,167,14869,68,308,601,354,271,107,13997,388,138,112,165,226,1385,108,1160,122,114,5,489,10627,8948,1625,2191,142763,158859,395,0]},"pktlen": {"min":66,"avg":536.8,"max":1454,"stddev":570.2,"var":325102.6,"ent":4.2,"data": [78,74,66,485,579,66,66,288,699,1454,1454,1454,66,1454,1454,1454,720,1454,150,66,66,66,66,66,66,100,66,244,66,637,699,1454]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
-01720{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2187,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254765378,"flow_dst_last_pkt_time":1568796254925955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2208,"flow_dst_tot_l4_payload_len":12690,"midstream":0,"thread_ts_usec":1568796254925955,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":21296.4,"max":156515,"stddev":45250.9,"var":2047640320.0,"ent":2.9,"data": [11078,12229,3431,138,15990,219,497,12957,479,11770,12042,155644,475,129,254,92,123,275,7,156515,111,123,122,255,2699,48704,55896,8249,149165,503,16,0]},"pktlen": {"min":66,"avg":532.2,"max":1454,"stddev":557.6,"var":310915.1,"ent":4.2,"data": [78,74,66,485,595,66,66,288,66,150,244,66,840,1454,1454,1454,1454,1057,1454,100,66,66,66,66,66,654,654,66,66,841,1454,1454]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2163,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254710630,"flow_dst_last_pkt_time":1568796254725634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1587,"flow_dst_tot_l4_payload_len":13458,"midstream":0,"thread_ts_usec":1568796254725634,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12492.0,"max":158859,"stddev":36696.7,"var":1346645888.0,"ent":2.3,"data": [12015,14119,556,167,14869,68,308,601,354,271,107,13997,388,138,112,165,226,1385,108,1160,122,114,5,489,10627,8948,1625,2191,142763,158859,395]},"pktlen": {"min":66,"avg":536.8,"max":1454,"stddev":570.2,"var":325102.6,"ent":4.2,"data": [78,74,66,485,579,66,66,288,699,1454,1454,1454,66,1454,1454,1454,720,1454,150,66,66,66,66,66,66,100,66,244,66,637,699,1454]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01718{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2187,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254765378,"flow_dst_last_pkt_time":1568796254925955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2208,"flow_dst_tot_l4_payload_len":12690,"midstream":0,"thread_ts_usec":1568796254925955,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":21296.4,"max":156515,"stddev":45250.9,"var":2047640320.0,"ent":2.9,"data": [11078,12229,3431,138,15990,219,497,12957,479,11770,12042,155644,475,129,254,92,123,275,7,156515,111,123,122,255,2699,48704,55896,8249,149165,503,16]},"pktlen": {"min":66,"avg":532.2,"max":1454,"stddev":557.6,"var":310915.1,"ent":4.2,"data": [78,74,66,485,595,66,66,288,66,150,244,66,840,1454,1454,1454,1454,1057,1454,100,66,66,66,66,66,654,654,66,66,841,1454,1454]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00763{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00769{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1436720908576723,"flow_src_last_pkt_time":1436720908733491,"flow_dst_last_pkt_time":1436720908662568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":226,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":4267,"midstream":0,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00769{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1436720908577363,"flow_src_last_pkt_time":1436720908737520,"flow_dst_last_pkt_time":1436720908665956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":226,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":4267,"midstream":0,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -247,9 +247,9 @@
 01125{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2224,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265162908,"flow_dst_last_pkt_time":1568796265159201,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":404,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":404,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796265162908,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.2","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2230,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265162734,"flow_dst_last_pkt_time":1568796265175583,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796265175583,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2231,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265163365,"flow_dst_last_pkt_time":1568796265176036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796265176036,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}}
-01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2260,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265180861,"flow_dst_last_pkt_time":1568796265192260,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":20310,"midstream":0,"thread_ts_usec":1568796265192260,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2554.7,"max":16353,"stddev":4723.5,"var":22311642.0,"ent":3.2,"data": [11840,12942,2760,70,16353,27,401,1108,14120,264,633,553,236,305,380,53,1148,300,94,1743,117,248,13,105,10046,132,1375,75,1411,144,201,0]},"pktlen": {"min":66,"avg":733.0,"max":1454,"stddev":652.7,"var":426025.8,"ent":4.3,"data": [78,74,66,470,592,66,66,288,699,66,89,150,1454,1454,1454,1454,1454,66,1454,1454,66,66,66,66,66,1454,1454,1454,1454,1454,1454,1454]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
-01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2675,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796265194500,"flow_dst_last_pkt_time":1568796265280665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":10887,"midstream":0,"thread_ts_usec":1568796265280665,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":691785.6,"max":10469815,"stddev":2560795.0,"var":6557671096320.0,"ent":1.2,"data": [11096,12433,1241,548,13252,614,103,14204,568,14367,12466,169576,258,200,98,307,55,169,229,6,169709,106,1819,218,113,542,10413415,52212,10469815,9752,75862,0]},"pktlen": {"min":66,"avg":474.7,"max":1454,"stddev":528.6,"var":279392.3,"ent":4.2,"data": [78,74,66,485,663,66,66,288,66,150,244,66,839,1454,1454,1454,1454,1454,642,1454,100,66,66,66,66,66,66,601,601,66,66,842]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
-01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2811,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265327859,"flow_dst_last_pkt_time":1568796265324773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":15077,"midstream":0,"thread_ts_usec":1568796265327859,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":11563.7,"max":131670,"stddev":31792.0,"var":1010731712.0,"ent":2.4,"data": [12123,13295,2535,457,15987,6,842,13996,1396,14470,16133,131670,10,876,193,264,9,116,291,177,158,249,254,129919,113,139,2594,71,83,9,41,0]},"pktlen": {"min":66,"avg":569.5,"max":1454,"stddev":619.5,"var":383805.7,"ent":4.1,"data": [78,74,66,470,592,66,66,288,66,150,244,66,840,89,1454,1454,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66,66,66,66]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2260,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265180861,"flow_dst_last_pkt_time":1568796265192260,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":20310,"midstream":0,"thread_ts_usec":1568796265192260,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2554.7,"max":16353,"stddev":4723.5,"var":22311642.0,"ent":3.2,"data": [11840,12942,2760,70,16353,27,401,1108,14120,264,633,553,236,305,380,53,1148,300,94,1743,117,248,13,105,10046,132,1375,75,1411,144,201]},"pktlen": {"min":66,"avg":733.0,"max":1454,"stddev":652.7,"var":426025.8,"ent":4.3,"data": [78,74,66,470,592,66,66,288,699,66,89,150,1454,1454,1454,1454,1454,66,1454,1454,66,66,66,66,66,1454,1454,1454,1454,1454,1454,1454]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2675,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796265194500,"flow_dst_last_pkt_time":1568796265280665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":10887,"midstream":0,"thread_ts_usec":1568796265280665,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":691785.6,"max":10469815,"stddev":2560795.0,"var":6557671096320.0,"ent":1.2,"data": [11096,12433,1241,548,13252,614,103,14204,568,14367,12466,169576,258,200,98,307,55,169,229,6,169709,106,1819,218,113,542,10413415,52212,10469815,9752,75862]},"pktlen": {"min":66,"avg":474.7,"max":1454,"stddev":528.6,"var":279392.3,"ent":4.2,"data": [78,74,66,485,663,66,66,288,66,150,244,66,839,1454,1454,1454,1454,1454,642,1454,100,66,66,66,66,66,66,601,601,66,66,842]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2811,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265327859,"flow_dst_last_pkt_time":1568796265324773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":15077,"midstream":0,"thread_ts_usec":1568796265327859,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":11563.7,"max":131670,"stddev":31792.0,"var":1010731712.0,"ent":2.4,"data": [12123,13295,2535,457,15987,6,842,13996,1396,14470,16133,131670,10,876,193,264,9,116,291,177,158,249,254,129919,113,139,2594,71,83,9,41]},"pktlen": {"min":66,"avg":569.5,"max":1454,"stddev":619.5,"var":383805.7,"ent":4.1,"data": [78,74,66,470,592,66,66,288,66,150,244,66,840,89,1454,1454,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66,66,66,66]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00929{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":456,"flow_dst_packets_processed":910,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796268061460,"flow_dst_last_pkt_time":1568796268058587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":591,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2978,"flow_dst_tot_l4_payload_len":1217228,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":63,"flow_dst_packets_processed":81,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796268054084,"flow_dst_last_pkt_time":1568796268052355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":95612,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00928{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":165,"flow_dst_packets_processed":223,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796268054096,"flow_dst_last_pkt_time":1568796268052381,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":3291,"flow_dst_tot_l4_payload_len":280319,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
@@ -265,8 +265,8 @@
 ~~ total active/idle flows...: 38/38
 ~~ total timeout flows.......: 5
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6382458 bytes
-~~ total memory freed........: 6382458 bytes
+~~ total memory allocated....: 6382306 bytes
+~~ total memory freed........: 6382306 bytes
 ~~ total allocations/frees...: 125436/125436
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/ip_fragmented_garbage.pcap.out b/test/results/ip_fragmented_garbage.pcap.out
index f82028100..8f346c3dd 100644
--- a/test/results/ip_fragmented_garbage.pcap.out
+++ b/test/results/ip_fragmented_garbage.pcap.out
@@ -18221,8 +18221,8 @@
 ~~ total active/idle flows...: 29/29
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6081258 bytes
-~~ total memory freed........: 6081258 bytes
+~~ total memory allocated....: 6081142 bytes
+~~ total memory freed........: 6081142 bytes
 ~~ total allocations/frees...: 121767/121767
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 225 chars
diff --git a/test/results/iphone.pcap.out b/test/results/iphone.pcap.out
index 4aa222b81..981806851 100644
--- a/test/results/iphone.pcap.out
+++ b/test/results/iphone.pcap.out
@@ -243,16 +243,16 @@
 01008{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":338,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599929249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454599929249,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 00764{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":241,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":241,"pkt_l4_len":207,"thread_ts_usec":1582454599930239,"pkt":"xGGLNYKpxiwDYGpkCABFAADjtQsAAEARP5zAqAIBwKgCEQA1\/jcAz3eX0zSBgAABAAUAAAAABHBsYXkGaXR1bmVzBWFwcGxlA2NvbQAAAQABwAwABQABAAAMOwAmCHBsYXktY2RuDGl0dW5lcy1hcHBsZQNjb20GYWthZG5zA25ldADAMwAFAAEAAAOmACIEcGxheQZpdHVuZXMFYXBwbGUDY29tCWVkZ2VzdWl0ZcBUwGUABQABAAAAXgAUBWExODA2BGRzY2IGYWthbWFpwFTAkwABAAEAAAAOAARce00awJMAAQABAAAADgAEXHtNQA=="}
 01025{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":340,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1582454599930239,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","dns": {"num_queries":1,"num_answers":5,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"92.123.77.26"}}}
-01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":341,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454598587648,"flow_src_last_pkt_time":1582454599931707,"flow_dst_last_pkt_time":1582454599930073,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2695,"flow_dst_tot_l4_payload_len":5563,"midstream":0,"thread_ts_usec":1582454599931707,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":86660.8,"max":686219,"stddev":170333.3,"var":29013448704.0,"ent":3.1,"data": [33952,135750,186,135485,2092,235,8690,6,162529,885,167358,319355,36,34737,102,651125,555,14,127,59,44,145,155,686219,30,1215,16,33741,32499,122595,156547,0]},"pktlen": {"min":66,"avg":324.7,"max":1506,"stddev":443.9,"var":197074.7,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1090,438,104,200,438,66,104,66,66,66,66,637,66]},"bins": {"c_to_s": [8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":341,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454598587648,"flow_src_last_pkt_time":1582454599931707,"flow_dst_last_pkt_time":1582454599930073,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2695,"flow_dst_tot_l4_payload_len":5563,"midstream":0,"thread_ts_usec":1582454599931707,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":86660.8,"max":686219,"stddev":170333.3,"var":29013448704.0,"ent":3.1,"data": [33952,135750,186,135485,2092,235,8690,6,162529,885,167358,319355,36,34737,102,651125,555,14,127,59,44,145,155,686219,30,1215,16,33741,32499,122595,156547]},"pktlen": {"min":66,"avg":324.7,"max":1506,"stddev":443.9,"var":197074.7,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1090,438,104,200,438,66,104,66,66,66,66,637,66]},"bins": {"c_to_s": [8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599934729,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454599934729,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599934729,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1582454599934729,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGzmnAqAIRXHtNGsWbAbupO4D5AAAAALDC\/\/\/ZMQAAAgQFtAEDAwcBAQgKEd\/tTwAAAAAEAgAA"}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1582454599967985,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAADUGGW5ce00awKgCEQG7xZtUZWomqTuA+qBScSDQrwAAAgQFrAQCCAozMbcgEd\/tTwEDAwc="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":351,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1582454600080813,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1582454600080813,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGznXAqAIRXHtNGsWbAbupO4D6VGVqJ4AQBAtsOAAAAQEIChHf7eAzMbcg"}
 01120{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":352,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600080888,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600080888,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01165{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":364,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600080888,"flow_dst_last_pkt_time":1582454600116695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1582454600116695,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","tls": {"version":"TLSv1.3","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01717{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":67409.2,"max":654765,"stddev":146324.1,"var":21410738176.0,"ent":2.9,"data": [34116,36074,120,34743,1609,104,2287,55,140235,397,7279,143339,13,33865,58,1492,19,11,252,423,44,150,34850,6,1213,30,128241,155238,167955,510701,654765,0]},"pktlen": {"min":54,"avg":313.4,"max":1506,"stddev":449.8,"var":202280.4,"ent":3.9,"data": [78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1084,104,450,104,66,104,66,66,66,750,66,54,66]},"bins": {"c_to_s": [9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":25541.8,"max":147307,"stddev":44603.2,"var":1989448704.0,"ent":3.2,"data": [33256,146084,75,147307,1403,159,73,18,38616,19,50,10855,46914,12516,120151,44,4,168,1146,109,1513,467,107361,13,1221,31041,492,3663,24,4467,82566,0]},"pktlen": {"min":66,"avg":336.1,"max":1506,"stddev":461.1,"var":212650.1,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1282,456,66,66,66,146,353,353,112,109,101,1506,566,832,66,66,66,136,66,66,97,66,101,66,66]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}}
-01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":109285.4,"max":803512,"stddev":185220.7,"var":34306707456.0,"ent":3.4,"data": [145952,170980,359,171301,2704,133,11131,1277,11157,179655,19,50,112,15556,168247,146405,161443,749,308681,51490,198168,655712,185,186,293,803512,1267,180253,328,297,245,0]},"pktlen": {"min":66,"avg":735.0,"max":1506,"stddev":667.3,"var":445284.8,"ent":4.3,"data": [78,74,66,583,66,1506,1506,1506,1506,1488,66,66,66,66,159,117,66,1183,358,66,1010,66,1178,1506,1506,1506,66,66,1506,1506,1506,1506]},"bins": {"c_to_s": [8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0]}}
+01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":67409.2,"max":654765,"stddev":146324.1,"var":21410738176.0,"ent":2.9,"data": [34116,36074,120,34743,1609,104,2287,55,140235,397,7279,143339,13,33865,58,1492,19,11,252,423,44,150,34850,6,1213,30,128241,155238,167955,510701,654765]},"pktlen": {"min":54,"avg":313.4,"max":1506,"stddev":449.8,"var":202280.4,"ent":3.9,"data": [78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1084,104,450,104,66,104,66,66,66,750,66,54,66]},"bins": {"c_to_s": [9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":25541.8,"max":147307,"stddev":44603.2,"var":1989448704.0,"ent":3.2,"data": [33256,146084,75,147307,1403,159,73,18,38616,19,50,10855,46914,12516,120151,44,4,168,1146,109,1513,467,107361,13,1221,31041,492,3663,24,4467,82566]},"pktlen": {"min":66,"avg":336.1,"max":1506,"stddev":461.1,"var":212650.1,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1282,456,66,66,66,146,353,353,112,109,101,1506,566,832,66,66,66,136,66,66,97,66,101,66,66]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":109285.4,"max":803512,"stddev":185220.7,"var":34306707456.0,"ent":3.4,"data": [145952,170980,359,171301,2704,133,11131,1277,11157,179655,19,50,112,15556,168247,146405,161443,749,308681,51490,198168,655712,185,186,293,803512,1267,180253,328,297,245]},"pktlen": {"min":66,"avg":735.0,"max":1506,"stddev":667.3,"var":445284.8,"ent":4.3,"data": [78,74,66,583,66,1506,1506,1506,1506,1488,66,66,66,66,159,117,66,1183,358,66,1010,66,1178,1506,1506,1506,66,66,1506,1506,1506,1506]},"bins": {"c_to_s": [8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0]}}
 03838{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"p26-keyvalueservice.icloud.com","tls": {"version":"TLSv1.2","server_names":"p62-keyvalueservice.icloud.com,p41-keyvalueservice.icloud.com,p97-keyvalueservice.icloud.com,p28-keyvalueservice.icloud.com,p32-keyvalueservice.icloud.com,p56-keyvalueservice.icloud.com,p33-keyvalueservice.icloud.com,p37-keyvalueservice.icloud.com,p67-keyvalueservice.icloud.com,p70-keyvalueservice.icloud.com,p63-keyvalueservice.icloud.com,p07-keyvalueservice.icloud.com,p52-keyvalueservice.icloud.com,p18-keyvalueservice.icloud.com,p21-keyvalueservice.icloud.com,p17-keyvalueservice.icloud.com,p36-keyvalueservice.icloud.com,p19-keyvalueservice.icloud.com,p26-keyvalueservice.icloud.com,p55-keyvalueservice.icloud.com,p06-keyvalueservice.icloud.com,p23-keyvalueservice.icloud.com,p65-keyvalueservice.icloud.com,p58-keyvalueservice.icloud.com,p35-keyvalueservice.icloud.com,p42-keyvalueservice.icloud.com,p12-keyvalueservice.icloud.com,p15-keyvalueservice.icloud.com,p16-keyvalueservice.icloud.com,p29-keyvalueservice.icloud.com,p39-keyvalueservice.icloud.com,p71-keyvalueservice.icloud.com,p22-keyvalueservice.icloud.com,p40-keyvalueservice.icloud.com,p11-keyvalueservice.icloud.com,p66-keyvalueservice.icloud.com,p68-keyvalueservice.icloud.com,p201-keyvalueservice.icloud.com,p10-keyvalueservice.icloud.com,p61-keyvalueservice.icloud.com,p30-keyvalueservice.icloud.com,p01-keyvalueservice.icloud.com,p14-keyvalueservice.icloud.com,p50-keyvalueservice.icloud.com,p31-keyvalueservice.icloud.com,p47-keyvalueservice.icloud.com,p48-keyvalueservice.icloud.com,p20-keyvalueservice.icloud.com,p51-keyvalueservice.icloud.com,p27-keyvalueservice.icloud.com,p49-keyvalueservice.icloud.com,p03-keyvalueservice.icloud.com,p24-keyvalueservice.icloud.com,p25-keyvalueservice.icloud.com,p08-keyvalueservice.icloud.com,p13-keyvalueservice.icloud.com,p04-keyvalueservice.icloud.com,p05-keyvalueservice.icloud.com,p02-keyvalueservice.icloud.com,p09-keyvalueservice.icloud.com,p57-keyvalueservice.icloud.com,p59-keyvalueservice.icloud.com,p64-keyvalueservice.icloud.com,p38-keyvalueservice.icloud.com,p54-keyvalueservice.icloud.com,p72-keyvalueservice.icloud.com,keyvalueservice.icloud.com,p69-keyvalueservice.icloud.com,p43-keyvalueservice.icloud.com,p45-keyvalueservice.icloud.com,p202-keyvalueservice.icloud.com,p98-keyvalueservice.icloud.com,p34-keyvalueservice.icloud.com,p44-keyvalueservice.icloud.com,p46-keyvalueservice.icloud.com,p53-keyvalueservice.icloud.com,p60-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=keyvalueservice.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D8:84:3B:15:06:49:1C:72:C4:05:C0:F0:82:3B:43:4A:D1:8F:D5:9F"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":419,"source":"iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454600454021,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600454021,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":63677,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":419,"source":"iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1582454600454021,"pkt":"xiwDYGpkxGGLNYKpCABFAABDtJ8AAP8RgafAqAIRwKgCAfi9ADUAL+BtI4YBAAABAAAAAAAABHN5bmMGaXR1bmVzBWFwcGxlA2NvbQAAAQAB"}
@@ -326,8 +326,8 @@
 ~~ total active/idle flows...: 51/51
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6533689 bytes
-~~ total memory freed........: 6533689 bytes
+~~ total memory allocated....: 6533485 bytes
+~~ total memory freed........: 6533485 bytes
 ~~ total allocations/frees...: 122745/122745
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/ipp.pcap.out b/test/results/ipp.pcap.out
index d8738b88b..5139eeea7 100644
--- a/test/results/ipp.pcap.out
+++ b/test/results/ipp.pcap.out
@@ -10,7 +10,7 @@
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1210953938235230,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953938235939,"pkt":"ABtjmL82ABJ5gGlgCABFAAA8U6wAAEAG\/dAKCgr7CgoKMQJ32C61d5gB3HcoNaASFtAB+AAAAgQFtAEDAwABAQgKAFjtJABr7jw="}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1210953938235965,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1210953938235965,"pkt":"ABJ5gGlgABtjmL82CABFAAA0xglAAEAGS3sKCgoxCgoK+9guAnfcdyg1tXeYAoAQAC5EXQAAAQEICgBr7j0AWO0k"}
 01264{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":22,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938236026,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":144,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1210953938236026,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"10.10.10.251","http": {"url":"10.10.10.251\/ipp\/","code":0,"content_type":"","user_agent":"CUPS\/1.3.4","request_content_type":"application\/ipp"}}}
-01924{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938290667,"flow_dst_last_pkt_time":1210953938297849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":25,"flow_src_tot_l4_payload_len":26572,"flow_dst_tot_l4_payload_len":25,"midstream":0,"thread_ts_usec":1210953938297849,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":3808.3,"max":9119,"stddev":3527.0,"var":12440042.0,"ent":4.2,"data": [709,735,61,34,3567,1615,5071,72,15,5799,5726,12,3653,3625,5,7253,7252,7,8848,8850,9,9119,9104,8,7245,7239,6,7601,7598,8,7210,0]},"pktlen": {"min":66,"avg":897.7,"max":2962,"stddev":882.8,"var":779357.9,"ent":4.2,"data": [74,74,66,210,214,66,91,66,2962,1514,66,2962,1586,66,1442,1610,66,1418,1634,66,1394,1658,66,1370,1682,66,1346,1706,66,1322,1730,66]},"bins": {"c_to_s": [3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01922{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938290667,"flow_dst_last_pkt_time":1210953938297849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":25,"flow_src_tot_l4_payload_len":26572,"flow_dst_tot_l4_payload_len":25,"midstream":0,"thread_ts_usec":1210953938297849,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":3808.3,"max":9119,"stddev":3527.0,"var":12440042.0,"ent":4.2,"data": [709,735,61,34,3567,1615,5071,72,15,5799,5726,12,3653,3625,5,7253,7252,7,8848,8850,9,9119,9104,8,7245,7239,6,7601,7598,8,7210]},"pktlen": {"min":66,"avg":897.7,"max":2962,"stddev":882.8,"var":779357.9,"ent":4.2,"data": [74,74,66,210,214,66,91,66,2962,1514,66,2962,1586,66,1442,1610,66,1418,1634,66,1394,1658,66,1370,1682,66,1346,1706,66,1322,1730,66]},"bins": {"c_to_s": [3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1210953939430652,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939430652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1210953939430652,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55343,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939430652,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953939430652,"pkt":"ABJ5gGlgABtjmL82CABFAAA8ASxAAEAGEFEKCgoxCgoK+9gvAnfdKfPLAAAAAKACFtBpAQAAAgQFtAQCCAoAa\/LnAAAAAAEDAwc="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":254,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939431407,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953939431407,"pkt":"ABtjmL82ABJ5gGlgCABFAAA8VFQAAEAG\/SgKCgr7CgoKMQJ32C+1fm4B3SnzzKASFtBa+AAAAgQFtAEDAwABAQgKAFjtJwBr8uc="}
@@ -28,10 +28,10 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047141 bytes
-~~ total memory freed........: 6047141 bytes
+~~ total memory allocated....: 6047129 bytes
+~~ total memory freed........: 6047129 bytes
 ~~ total allocations/frees...: 121796/121796
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1929 chars
-~~ json string avg len.......: 1207 chars
+~~ json string max len.......: 1927 chars
+~~ json string avg len.......: 1206 chars
diff --git a/test/results/ipsec_isakmp_esp.pcap.out b/test/results/ipsec_isakmp_esp.pcap.out
index 1982066cf..1441c55d2 100644
--- a/test/results/ipsec_isakmp_esp.pcap.out
+++ b/test/results/ipsec_isakmp_esp.pcap.out
@@ -15,7 +15,7 @@
 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":24,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","packets-captured":24,"packets-processed":23,"total-skipped-flows":0,"total-l4-payload-len":11884,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":2,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":946745300340000}
 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":42,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":14,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745301909000,"flow_dst_last_pkt_time":946745301906000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":11540,"flow_dst_tot_l4_payload_len":3360,"midstream":0,"thread_ts_usec":946745301909000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00909{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":42,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":946744638499000,"flow_src_last_pkt_time":946745300381000,"flow_dst_last_pkt_time":946745300411000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":4728,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":946745301909000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
-01785{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745723299000,"flow_dst_last_pkt_time":946745723443000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":12356,"flow_dst_tot_l4_payload_len":3648,"midstream":0,"thread_ts_usec":946745723443000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":87056800.0,"max":662067000,"stddev":203163760.0,"var":41275511887888384.0,"ent":2.0,"data": [122000,677000,771000,222000,34000,2372000,1000,23000,2387000,22000,24000,661960000,662067000,681000,743000,195000,34000,407000,421000,4000,138000,188000,12771000,421390000,408766000,0,0,0,0,0,0,0]},"pktlen": {"min":122,"avg":542.1,"max":1374,"stddev":468.7,"var":219671.5,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,1374,174,174,174,942,174,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]},"bins": {"c_to_s": [0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0],"s_to_c": [0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01771{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745723299000,"flow_dst_last_pkt_time":946745723443000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":12356,"flow_dst_tot_l4_payload_len":3648,"midstream":0,"thread_ts_usec":946745723443000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":87056800.0,"max":662067000,"stddev":203163760.0,"var":41275511887888384.0,"ent":2.0,"data": [122000,677000,771000,222000,34000,2372000,1000,23000,2387000,22000,24000,661960000,662067000,681000,743000,195000,34000,407000,421000,4000,138000,188000,12771000,421390000,408766000]},"pktlen": {"min":122,"avg":542.1,"max":1374,"stddev":468.7,"var":219671.5,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,1374,174,174,174,942,174,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]},"bins": {"c_to_s": [0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0],"s_to_c": [0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":61,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":22,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745725650000,"flow_dst_last_pkt_time":946745725647000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":16260,"flow_dst_tot_l4_payload_len":5568,"midstream":0,"thread_ts_usec":946745725650000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00909{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":61,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":8,"flow_first_seen":946744638499000,"flow_src_last_pkt_time":946745723231000,"flow_dst_last_pkt_time":946745723263000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":6304,"flow_dst_tot_l4_payload_len":1360,"midstream":0,"thread_ts_usec":946745725650000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":62,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","packets-captured":62,"packets-processed":61,"total-skipped-flows":0,"total-l4-payload-len":29572,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":6,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":21,"global_ts_usec":946747247312000}
@@ -165,8 +165,8 @@
 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":348,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":816,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":816,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":816,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":14500,"dst_port":4500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00784{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":250,"pkt_l4_len":216,"thread_ts_usec":946763527783000,"pkt":"YDjgxTWgeJS0JASgCABFAADsy5UAAPcRCo5t7bvjwKgCZBGUOKQA2N2eAAAAAMT3roGUU5AxVDreTwHgKMguICMgAAAAAQAAAMwkAACw3+hDUjEFQ6MgpqAEcApKvn9uh3qVHzhAobzzdsLHNL0cE0MCy6hqRcHq2zyFYxqKUvV9qpSoUCOXzZX8acXWksJkwcZvlj3pHUnomqGBUy7YKx8\/BoUpsdZ+YJ66Urw6XFHoKHyVFJYrxhfDTA96A3GMtNoZk+CLmvMZh9uGXGXGb9zoZqBq9vHjZRx\/MplOtNEvpcXqGaCwVYcGtrGfedPqueJGKjXMXpyHhw=="}
 00655{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAACMqXpAAD8RpQnAqAJkbe274zikEZQAeOw1AAAAAMT3roGUU5AxVDreTwHgKMguICMIAAAAAgAAAGwwAABQp3zPqAaPZdCtSbotjrN0irXGcY7JpOGxC6pjgSY\/TZB8lMPX2DP1QKzYFMuSni2xVCT2eLDFep09w0XbtiWVOI2z82MP7LPt5iJg1A=="}
-01613{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":10256,"flow_dst_tot_l4_payload_len":4624,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":122,"avg":507.0,"max":1374,"stddev":453.9,"var":206039.0,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
-01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":465,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":12608,"flow_dst_tot_l4_payload_len":2720,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":94,"avg":521.0,"max":842,"stddev":320.2,"var":102515.0,"ent":4.7,"data": [818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01550{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":10256,"flow_dst_tot_l4_payload_len":4624,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":507.0,"max":1374,"stddev":453.9,"var":206039.0,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01532{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":465,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":12608,"flow_dst_tot_l4_payload_len":2720,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":94,"avg":521.0,"max":842,"stddev":320.2,"var":102515.0,"ent":4.7,"data": [818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":466,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.226","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 01540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":466,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":818,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":818,"pkt_l4_len":784,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAAMkUT5AAD8R+q7AqAJkbe274ikEAfQDENNXqwswX1pdWlQAAAAAAAAAACEgIggAAAAAAAADCCIAAggCAABQAQEACAMAAAwBAAAMgA4AgAMAAAwBAAAMgA4BAAMAAAgDAAACAwAACAMAAAwDAAAIAgAAAgMAAAgCAAAFAwAACAQAAAIAAAAIBAAABQAAAbQCAQAuAwAACAEAAAMDAAAMAQAADIAOAIADAAAMAQAADIAOAMADAAAMAQAADIAOAQADAAAMAQAADYAOAIADAAAMAQAADYAOAMADAAAMAQAADYAOAQADAAAMAQAAEoAOAIADAAAMAQAAEoAOAMADAAAMAQAAEoAOAQADAAAMAQAAE4AOAIADAAAMAQAAE4AOAMADAAAMAQAAE4AOAQADAAAMAQAAFIAOAIADAAAMAQAAFIAOAMADAAAMAQAAFIAOAQADAAAIAwAAAQMAAAgDAAACAwAACAMAAAUDAAAIAwAADAMAAAgDAAANAwAACAMAAA4DAAAIAgAAAQMAAAgCAAACAwAACAIAAAQDAAAIAgAABQMAAAgCAAAGAwAACAIAAAcDAAAIBAAAAgMAAAgEAAAFAwAACAQAAA4DAAAIBAAADwMAAAgEAAAQAwAACAQAABIDAAAIBAAAEwMAAAgEAAAUAwAACAQAABUDAAAIBAAAFgMAAAgEAAAXAwAACAQAABgDAAAIBAAAGQMAAAgEAAAaAwAACAQAABsDAAAIBAAAHAMAAAgEAAAdAAAACAQAAB4oAACIAAIAANisWYZIjej7n3HtY6YrUGG6ju3JyAgfXaIbqQqsCk6WamsA3yJowbMrsQiavjlYliQ8\/bmnkd4oik6yfXzF2nnT5++MrBWp59hXjvpQG7CUKBYM2qK1rCYScGFGvoCH+VaOstA9qnbA93UZ+lGrf8oiyLKNCUx8EmTjNr1npSw0KQAAJEdv70J9iweqoyFFLnrl4Zzojnhs5HDATx3IKPlr2BaOKQAAHAAAQASxGcGDddgOxJ\/uFM4nQfEOTHdh1AAAABwAAEAFw3IlZSVVICry3JG3pa18XmliW9c="}
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":466,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.226","src_port":10500,"dst_port":500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
@@ -187,7 +187,7 @@
 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":658,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":816,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":816,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":816,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00789{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":659,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":250,"pkt_l4_len":216,"thread_ts_usec":946763527783000,"pkt":"YDjgxTWgeJS0JASgCABFAADsk6IAAPYRQ+Jt7buCwKgCZBGUOKQA2IekAAAAAM17ri1L\/ac+HEFGvwEgEbUuICMgAAAAAQAAAMwkAACwnjHnEXtSQ9YBTsYWhNWWL2lb3zCSVGmtTzEvh47BEs\/bjLyBXTJjuCqg7wWeV74OlRvZj2lbuv2HF8N25vmjxy2gOj3GTSIkrJ81O5xBYrk\/DO\/U3vnDhNrRnxnnbUAcri8CK4colHYFHy00rAAnAiq\/J3y\/4Psn7O2YNdeQxTN+FVKTTs+PkcU9iJQYjyeso5yATeFNdg3Yo2REPpR\/v53srr2DXIiU+rV2BA=="}
 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":660,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAACMfEZAAD8R0p7AqAJkbe27gjikEZQAeEKcAAAAAM17ri1L\/ac+HEFGvwEgEbUuICMIAAAAAgAAAGwwAABQ4uWpvKvs0+Grd38C+Ik2kAU8jJda\/\/ZCHQQBPzJXFKXfyLyFjecJewBE8lyFFdf5WHr93Xl19FueaRtvNm5eWTihSgwraMBcuUWyzQ=="}
-01619{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":697,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":7848,"flow_dst_tot_l4_payload_len":12096,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":122,"avg":665.2,"max":1374,"stddev":511.6,"var":261688.4,"ent":4.5,"data": [858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0],"s_to_c": [0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":697,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":7848,"flow_dst_tot_l4_payload_len":12096,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":665.2,"max":1374,"stddev":511.6,"var":261688.4,"ent":4.5,"data": [858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0],"s_to_c": [0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":768,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":416,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":416,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":42593,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 01065{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":768,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":458,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":458,"pkt_l4_len":424,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAAG8AURAAP0RjjHAqAJkbe27waZhEZQBqLXBAAAAABcjot1R1L2v9VP\/ZQPMlAYuICMIAAAAAQAAAZwjAAGAFzlsP7YgimBjfIhMJEPhZdw0CnuZSvY37VZC7a055Lu7e+IEFmagHoqj\/3VU94cqC6SemXaaay0d\/2HUKJiZnpCAdCpw2HQ0KrTFW857JbKQ5j3IjKxRjcUYXqtMskX1DsgbCtObqa65cF5WltmtdmwVSANhLzG0LAR+CYEUUulm5YiOyMOFPbHpSrtDM2EEADmkbnPxO00Rexy0LvWXHDnINrIOiYbG6hzWEPIEI9Eq\/yH+hgIb4D\/vUKMOXGmPYj6eX3YPkbs08cGm1IBTDEzAwFQ6+Dut0IKwpkVjd+zPi5GajMElxeEZqtJlXKjo9Q5m9\/Z280gMX0Ev66KMtd6K6mBxkfkxU48zqh5WNlzUeROBsXFhnHi99g6+xt5SosQj2gpfId\/yriJfKS5T7sFkMpq5UCC9LwpNDHHYOliSKEorplbbZFT5pCqGgvpGJkdN1m+eylUPZy+lsCygyTo96r1KrC7wKmw+U5ttVkc6oJ49jPR1mswYgKs="}
 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":768,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":416,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":416,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":42593,"dst_port":4500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
@@ -228,8 +228,8 @@
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":955,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.195","src_port":10500,"dst_port":500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":956,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":94,"pkt_l4_len":60,"thread_ts_usec":946763527783000,"pkt":"YDjgxTWgeJS0JASgCABFAABQw\/QAAPcREutt7bvDwKgCZAH0KQQAPDt0h60nd4XOo4EAAAAAAAAAACkgIiAAAAAAAAAANAAAABgAAEAGAAFWSjMix2hDw5Uoh9iWqg=="}
 01572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":957,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":842,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":842,"pkt_l4_len":808,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAAM8ygVAAD8Rge7AqAJkbe27wykEAfQDKIzIh60nd4XOo4EAAAAAAAAAACkgIggAAAAAAAADICEAABgAAEAGAAFWSjMix2hDw5Uoh9iWqiIAAggCAABQAQEACAMAAAwBAAAMgA4AgAMAAAwBAAAMgA4BAAMAAAgDAAACAwAACAMAAAwDAAAIAgAAAgMAAAgCAAAFAwAACAQAAAIAAAAIBAAABQAAAbQCAQAuAwAACAEAAAMDAAAMAQAADIAOAIADAAAMAQAADIAOAMADAAAMAQAADIAOAQADAAAMAQAADYAOAIADAAAMAQAADYAOAMADAAAMAQAADYAOAQADAAAMAQAAEoAOAIADAAAMAQAAEoAOAMADAAAMAQAAEoAOAQADAAAMAQAAE4AOAIADAAAMAQAAE4AOAMADAAAMAQAAE4AOAQADAAAMAQAAFIAOAIADAAAMAQAAFIAOAMADAAAMAQAAFIAOAQADAAAIAwAAAQMAAAgDAAACAwAACAMAAAUDAAAIAwAADAMAAAgDAAANAwAACAMAAA4DAAAIAgAAAQMAAAgCAAACAwAACAIAAAQDAAAIAgAABQMAAAgCAAAGAwAACAIAAAcDAAAIBAAAAgMAAAgEAAAFAwAACAQAAA4DAAAIBAAADwMAAAgEAAAQAwAACAQAABIDAAAIBAAAEwMAAAgEAAAUAwAACAQAABUDAAAIBAAAFgMAAAgEAAAXAwAACAQAABgDAAAIBAAAGQMAAAgEAAAaAwAACAQAABsDAAAIBAAAHAMAAAgEAAAdAAAACAQAAB4oAACIAAIAAEnKegIkLOmW4KZNcOCo7ZOC4licZ2A51HwGaEIiqoXRPN6FcRoNRdAJs+VA4OoEhdOX8Fx4+MU+pUH2RMi10WP9fW5dlYg6Cr9HTfi+4X5mNAA6iu7R0SUnBzU7WFhgJmUeZ23\/+YRhQU1yMpmQB5bWydw9ZfvTkPXAog0gKlZ1KQAAJIVS0Rg+btu6BkuEgsgaurW3aJ4eaYYGQ6VjkOvvz6QMKQAAHAAAQASo5HDOkRKoIfuPc\/+LezYZYFoAhAAAABwAAEAFi9H7SlG8iBMVMxjPqyusPgxIUYI="}
-01615{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":983,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10224,"flow_dst_tot_l4_payload_len":7128,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.195","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":122,"avg":584.2,"max":1374,"stddev":486.8,"var":236933.9,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
-01615{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1048,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10240,"flow_dst_tot_l4_payload_len":5876,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.225","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":122,"avg":545.6,"max":1374,"stddev":472.2,"var":222978.4,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":983,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10224,"flow_dst_tot_l4_payload_len":7128,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.195","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":584.2,"max":1374,"stddev":486.8,"var":236933.9,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
+01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1048,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10240,"flow_dst_tot_l4_payload_len":5876,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.225","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":545.6,"max":1374,"stddev":472.2,"var":222978.4,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1080,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":53,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":21676,"flow_dst_tot_l4_payload_len":34636,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1080,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":4720,"flow_dst_tot_l4_payload_len":2208,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.131","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1080,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":4720,"flow_dst_tot_l4_payload_len":2208,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.226","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}}
@@ -261,10 +261,10 @@
 ~~ total active/idle flows...: 36/36
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6124001 bytes
-~~ total memory freed........: 6124001 bytes
+~~ total memory allocated....: 6123857 bytes
+~~ total memory freed........: 6123857 bytes
 ~~ total allocations/frees...: 122919/122919
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
-~~ json string max len.......: 1790 chars
-~~ json string avg len.......: 1145 chars
+~~ json string max len.......: 1776 chars
+~~ json string avg len.......: 1138 chars
diff --git a/test/results/irc.pcap.out b/test/results/irc.pcap.out
index 31cc45415..5a71fe10d 100644
--- a/test/results/irc.pcap.out
+++ b/test/results/irc.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038580 bytes
-~~ total memory freed........: 6038580 bytes
+~~ total memory allocated....: 6038576 bytes
+~~ total memory freed........: 6038576 bytes
 ~~ total allocations/frees...: 121518/121518
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out b/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out
index 046b56609..bf9b5ed56 100644
--- a/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out
+++ b/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out
@@ -41,8 +41,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036428 bytes
-~~ total memory freed........: 6036428 bytes
+~~ total memory allocated....: 6036424 bytes
+~~ total memory freed........: 6036424 bytes
 ~~ total allocations/frees...: 121514/121514
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 263 chars
diff --git a/test/results/jabber.pcap.out b/test/results/jabber.pcap.out
index 371c2175a..836e1e3be 100644
--- a/test/results/jabber.pcap.out
+++ b/test/results/jabber.pcap.out
@@ -5,13 +5,13 @@
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1502379723841804,"flow_dst_last_pkt_time":1502379723842248,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1502379723842248,"pkt":"aFs1pN2oTl6SKSKGCABFAAA8AABAAEAG4NOsEAGKrBAAPhRm3wagxQKCw6iV9qASOJCmRgAAAgQFtAQCCAoAGMyaTgMEJwEDAwc="}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1502379723842315,"flow_dst_last_pkt_time":1502379723842248,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1502379723842315,"pkt":"Tl6SKSKGaFs1pN2oCABFAAA0qcBAAEAGAACsEAA+rBABit8GFGbDqJX2oMUCg4AQICtaDwAAAQEICk4DBCcAGMya"}
 00857{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379723843132,"flow_dst_last_pkt_time":1502379723843076,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":138,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502379723843132,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379724444209,"flow_dst_last_pkt_time":1502379724444121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1485,"midstream":0,"thread_ts_usec":1502379724444209,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":218,"avg":38862.0,"max":337747,"stddev":84176.8,"var":7085729792.0,"ent":3.0,"data": [444,511,417,828,400,374,12411,12818,2412,2410,348,1979,1627,218,40781,36965,77519,220,613,337303,337747,374,834,51093,51498,6383,6386,306,844,109053,109606,0]},"pktlen": {"min":66,"avg":142.1,"max":445,"stddev":104.5,"var":10930.1,"ent":4.7,"data": [78,74,66,88,66,182,66,245,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379724444209,"flow_dst_last_pkt_time":1502379724444121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1485,"midstream":0,"thread_ts_usec":1502379724444209,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":218,"avg":38862.0,"max":337747,"stddev":84176.8,"var":7085729792.0,"ent":3.0,"data": [444,511,417,828,400,374,12411,12818,2412,2410,348,1979,1627,218,40781,36965,77519,220,613,337303,337747,374,834,51093,51498,6383,6386,306,844,109053,109606]},"pktlen": {"min":66,"avg":142.1,"max":445,"stddev":104.5,"var":10930.1,"ent":4.7,"data": [78,74,66,88,66,182,66,245,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":89,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175298881,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502380175298881,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175298881,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1502380175298881,"pkt":"Tl6SKSKGaFs1pN2oCABFAABAIwFAAEAGAACsEAA+rBABit8iFGaEgGHPAAAAALAC\/\/9aGwAAAgQFtAEDAwQBAQgKTgnffgAAAAAEAgAA"}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":90,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175299571,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1502380175299571,"pkt":"aFs1pN2oTl6SKSKGCABFAAA8AABAAEAG4NOsEAGKrBAAPhRm3yLL7qcahIBh0KASOJCKxQAAAgQFtAQCCAoAH7AnTgnffgEDAwc="}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1502380175299630,"flow_dst_last_pkt_time":1502380175299571,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1502380175299630,"pkt":"Tl6SKSKGaFs1pN2oCABFAAA0ciBAAEAGAACsEAA+rBABit8iFGaEgGHQy+6nG4AQICtaDwAAAQEICk4J334AH7An"}
 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":94,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175300064,"flow_dst_last_pkt_time":1502380175300022,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":138,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502380175300064,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01686{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175888009,"flow_dst_last_pkt_time":1502380175887945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1483,"midstream":0,"thread_ts_usec":1502380175888009,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":38006.2,"max":336798,"stddev":84915.4,"var":7210629120.0,"ent":2.8,"data": [690,749,72,451,362,328,190,509,138,134,177,1433,1288,169,39805,40983,80676,197,580,336438,336798,280,830,51170,51717,134,126,305,762,115132,115569,0]},"pktlen": {"min":66,"avg":142.0,"max":445,"stddev":104.5,"var":10917.3,"ent":4.7,"data": [78,74,66,88,66,182,66,243,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01684{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175888009,"flow_dst_last_pkt_time":1502380175887945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1483,"midstream":0,"thread_ts_usec":1502380175888009,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":38006.2,"max":336798,"stddev":84915.4,"var":7210629120.0,"ent":2.8,"data": [690,749,72,451,362,328,190,509,138,134,177,1433,1288,169,39805,40983,80676,197,580,336438,336798,280,830,51170,51717,134,126,305,762,115132,115569]},"pktlen": {"min":66,"avg":142.0,"max":445,"stddev":104.5,"var":10917.3,"ent":4.7,"data": [78,74,66,88,66,182,66,243,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380213387324,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1502380213387324,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57126,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1502380213387324,"pkt":"Tl6SKSKGaFs1pN2oCABFAABEEUNAAEAGAACsEAA+rBABit8mFGZE6SgmjZ+UW4AYIABaHwAAAQEICk4Kc24AIDNjPC9zdHJlYW06c3RyZWFtPg=="}
 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380213387324,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1502380213387324,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57126,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
@@ -36,7 +36,7 @@
 00688{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":251,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1502380915481182,"flow_dst_last_pkt_time":1502380915486217,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1502380915486217,"pkt":"aFs1pN2oTl6SKSKGCABFAACsmGdAAEAGR\/ysEAGKrBAAPhRm3z2fGhbwcCeU94AYAP6TqgAAAQEICgAq+5ZOFR2YPG1lc3NhZ2UgdG89J3RvbUBjcy14bXBwLmxhbi9kYXJrc3RhcicgZnJvbT0nY2hhdC13aXRoLXRvbUBjb25mZXJlbmNlLmNzLXhtcHAubGFuJyB0eXBlPSdncm91cGNoYXQnPjxzdWJqZWN0Lz48L21lc3NhZ2U+"}
 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":260,"source":"jabber.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":12,"flow_first_seen":1502380724652555,"flow_src_last_pkt_time":1502380725074115,"flow_dst_last_pkt_time":1502380725074074,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":285,"flow_src_tot_l4_payload_len":654,"flow_dst_tot_l4_payload_len":772,"midstream":0,"thread_ts_usec":1502380919392608,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57147,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":260,"source":"jabber.pcap","alias":"nDPId-test","packets-captured":260,"packets-processed":243,"total-skipped-flows":0,"total-l4-payload-len":34275,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":38,"global_ts_usec":1502381519875958}
-01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1502380915481182,"flow_src_last_pkt_time":1502381566576939,"flow_dst_last_pkt_time":1502381566616902,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":463,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":2076,"midstream":1,"thread_ts_usec":1502381566616902,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57149,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":42007464.0,"max":600487770,"stddev":147104800.0,"var":21639823353708544.0,"ent":1.4,"data": [5033,2,5089,3,217021,217977,974,3684463,3688323,3876,600484177,600487770,3,3561,6,1107,1119,7791,47498,39730,447,62982,63440,253,504,186,80,2,90,46583978,46623992,0]},"pktlen": {"min":66,"avg":164.8,"max":529,"stddev":117.9,"var":13893.8,"ent":4.7,"data": [305,474,186,66,66,248,529,66,248,193,66,216,270,172,120,66,286,66,114,66,114,66,288,66,114,167,66,66,171,66,201,66]},"bins": {"c_to_s": [9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1502380915481182,"flow_src_last_pkt_time":1502381566576939,"flow_dst_last_pkt_time":1502381566616902,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":463,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":2076,"midstream":1,"thread_ts_usec":1502381566616902,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57149,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":42007464.0,"max":600487770,"stddev":147104800.0,"var":21639823353708544.0,"ent":1.4,"data": [5033,2,5089,3,217021,217977,974,3684463,3688323,3876,600484177,600487770,3,3561,6,1107,1119,7791,47498,39730,447,62982,63440,253,504,186,80,2,90,46583978,46623992]},"pktlen": {"min":66,"avg":164.8,"max":529,"stddev":117.9,"var":13893.8,"ent":4.7,"data": [305,474,186,66,66,248,529,66,248,193,66,216,270,172,120,66,286,66,114,66,114,66,288,66,114,167,66,66,171,66,201,66]},"bins": {"c_to_s": [9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","packets-captured":289,"packets-processed":270,"total-skipped-flows":0,"total-l4-payload-len":36212,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1504181789350325}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1504181789350325,"flow_src_last_pkt_time":1504181789350325,"flow_dst_last_pkt_time":1504181789350325,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1504181789350325,"l3_proto":"ip4","src_ip":"192.168.58.1","dst_ip":"192.168.58.153","src_port":53460,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1504181789350325,"flow_dst_last_pkt_time":1504181789350325,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1504181789350325,"pkt":"AAwpvhIxAFBWwAAICABFAAA0dxlAAIAGjb\/AqDoBwKg6mdDUFGaBHPlXAAAAAIACIAD5dQAAAgQFtAEDAwgBAQQC"}
@@ -92,10 +92,10 @@
 ~~ total active/idle flows...: 12/12
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6088511 bytes
-~~ total memory freed........: 6088511 bytes
+~~ total memory allocated....: 6088463 bytes
+~~ total memory freed........: 6088463 bytes
 ~~ total allocations/frees...: 121967/121967
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1728 chars
-~~ json string avg len.......: 1109 chars
+~~ json string max len.......: 1726 chars
+~~ json string avg len.......: 1108 chars
diff --git a/test/results/kerberos-error.pcap.out b/test/results/kerberos-error.pcap.out
index 8e3d01f42..18737c82d 100644
--- a/test/results/kerberos-error.pcap.out
+++ b/test/results/kerberos-error.pcap.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035703 bytes
-~~ total memory freed........: 6035703 bytes
+~~ total memory allocated....: 6035699 bytes
+~~ total memory freed........: 6035699 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/kerberos-login.pcap.out b/test/results/kerberos-login.pcap.out
index 47c7690e4..748d98813 100644
--- a/test/results/kerberos-login.pcap.out
+++ b/test/results/kerberos-login.pcap.out
@@ -84,8 +84,8 @@
 ~~ total active/idle flows...: 13/13
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6056340 bytes
-~~ total memory freed........: 6056340 bytes
+~~ total memory allocated....: 6056288 bytes
+~~ total memory freed........: 6056288 bytes
 ~~ total allocations/frees...: 121647/121647
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/kerberos.pcap.out b/test/results/kerberos.pcap.out
index c6a5a1849..a36147e71 100644
--- a/test/results/kerberos.pcap.out
+++ b/test/results/kerberos.pcap.out
@@ -194,8 +194,8 @@
 ~~ total active/idle flows...: 36/36
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6146058 bytes
-~~ total memory freed........: 6146058 bytes
+~~ total memory allocated....: 6145914 bytes
+~~ total memory freed........: 6145914 bytes
 ~~ total allocations/frees...: 121939/121939
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/kerberos_fuzz.pcapng.out b/test/results/kerberos_fuzz.pcapng.out
index 8c2eca8a4..013e43ef1 100644
--- a/test/results/kerberos_fuzz.pcapng.out
+++ b/test/results/kerberos_fuzz.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035646 bytes
-~~ total memory freed........: 6035646 bytes
+~~ total memory allocated....: 6035642 bytes
+~~ total memory freed........: 6035642 bytes
 ~~ total allocations/frees...: 121487/121487
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/kismet.pcap.out b/test/results/kismet.pcap.out
index 4c9b2285c..7811f9401 100644
--- a/test/results/kismet.pcap.out
+++ b/test/results/kismet.pcap.out
@@ -5,7 +5,7 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1144004385285325,"flow_dst_last_pkt_time":1144004385285353,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1144004385285353,"pkt":"AAAAAAAAAAAAAAAACABFAAA0AABAAIAG\/MF\/AAABfwAAAQnFhRGzPp6Js2uR14ASf\/+QygAAAgRADAEBBAIBAwMC"}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1144004385285367,"flow_dst_last_pkt_time":1144004385285353,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1144004385285367,"pkt":"AAAAAAAAAAAAAAAACABFAAAoPIdAAIAGwEZ\/AAABfwAAAYURCcWza5HXsz6eilAQIABr7wAA"}
 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004385285367,"flow_dst_last_pkt_time":1144004385285561,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1144004385285561,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01773{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004397698680,"flow_dst_last_pkt_time":1144004398798485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1777,"midstream":0,"thread_ts_usec":1144004398798485,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":836339.2,"max":1099852,"stddev":406205.2,"var":165002641408.0,"ent":4.7,"data": [28,42,208,235,399947,399927,615244,615286,399575,399620,1099784,1099782,1099835,1099834,1099815,1099816,1099834,1099831,1099838,1099839,1099849,1099852,1099837,1099839,1099821,1099818,1099833,1099833,1099842,1099843,1099828,0]},"pktlen": {"min":54,"avg":142.9,"max":1099,"stddev":184.2,"var":33913.2,"ent":4.4,"data": [66,66,54,253,54,72,54,1099,54,129,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01771{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004397698680,"flow_dst_last_pkt_time":1144004398798485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1777,"midstream":0,"thread_ts_usec":1144004398798485,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":836339.2,"max":1099852,"stddev":406205.2,"var":165002641408.0,"ent":4.7,"data": [28,42,208,235,399947,399927,615244,615286,399575,399620,1099784,1099782,1099835,1099834,1099815,1099816,1099834,1099831,1099838,1099839,1099849,1099852,1099837,1099839,1099821,1099818,1099833,1099833,1099842,1099843,1099828]},"pktlen": {"min":54,"avg":142.9,"max":1099,"stddev":184.2,"var":33913.2,"ent":4.4,"data": [66,66,54,253,54,72,54,1099,54,129,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00907{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":35,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":17,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004399898338,"flow_dst_last_pkt_time":1144004399898316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1912,"midstream":0,"thread_ts_usec":1144004399898338,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00558{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":35,"source":"kismet.pcap","alias":"nDPId-test","packets-captured":35,"packets-processed":35,"total-skipped-flows":0,"total-l4-payload-len":2957,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1144004399898338}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038708 bytes
-~~ total memory freed........: 6038708 bytes
+~~ total memory allocated....: 6038704 bytes
+~~ total memory freed........: 6038704 bytes
 ~~ total allocations/frees...: 121523/121523
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1778 chars
-~~ json string avg len.......: 1072 chars
+~~ json string max len.......: 1776 chars
+~~ json string avg len.......: 1071 chars
diff --git a/test/results/kontiki.pcap.out b/test/results/kontiki.pcap.out
index cf3535fcc..64d7d2ff2 100644
--- a/test/results/kontiki.pcap.out
+++ b/test/results/kontiki.pcap.out
@@ -26,7 +26,7 @@
 00722{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1213662198701406,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1213662198701406,"l3_proto":"ip4","src_ip":"4.79.219.125","dst_ip":"10.25.32.59","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3}
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1213662198701406,"pkt":"ABVYKKDoANAreRD8CABFwAA4\/Y8AAPoBuFQET9t9ChkgOwsADhsAAAAARQAAIA+mAAABEaq1ChkgO0DIlFZN7CK4AAx2NA=="}
 00847{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1213662198701406,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1213662198701406,"l3_proto":"ip4","src_ip":"4.79.219.125","dst_ip":"10.25.32.59","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}}
-01856{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":41,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1213662198289578,"flow_src_last_pkt_time":1213662198988100,"flow_dst_last_pkt_time":1213662198992190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":217,"flow_dst_max_l4_payload_len":1241,"flow_src_tot_l4_payload_len":591,"flow_dst_tot_l4_payload_len":24254,"midstream":0,"thread_ts_usec":1213662198992190,"l3_proto":"ip4","src_ip":"10.25.32.59","dst_ip":"64.200.148.86","src_port":19948,"dst_port":8888,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":45197.9,"max":607738,"stddev":118031.4,"var":13931400192.0,"ent":2.6,"data": [198615,212422,193796,607738,3074,5780,31191,29960,8831,9093,72,244,17,19380,18261,96,127,127,114,15289,14893,16,235,114,13,97,15924,15357,18,115,125,0]},"pktlen": {"min":46,"avg":818.4,"max":1283,"stddev":568.0,"var":322604.6,"ent":4.5,"data": [46,46,46,62,70,259,513,246,218,132,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,1283,58,1283,1283,1283,1283]},"bins": {"c_to_s": [7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Kontiki","proto_id":"32","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}}
+01854{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":41,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1213662198289578,"flow_src_last_pkt_time":1213662198988100,"flow_dst_last_pkt_time":1213662198992190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":217,"flow_dst_max_l4_payload_len":1241,"flow_src_tot_l4_payload_len":591,"flow_dst_tot_l4_payload_len":24254,"midstream":0,"thread_ts_usec":1213662198992190,"l3_proto":"ip4","src_ip":"10.25.32.59","dst_ip":"64.200.148.86","src_port":19948,"dst_port":8888,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":45197.9,"max":607738,"stddev":118031.4,"var":13931400192.0,"ent":2.6,"data": [198615,212422,193796,607738,3074,5780,31191,29960,8831,9093,72,244,17,19380,18261,96,127,127,114,15289,14893,16,235,114,13,97,15924,15357,18,115,125]},"pktlen": {"min":46,"avg":818.4,"max":1283,"stddev":568.0,"var":322604.6,"ent":4.5,"data": [46,46,46,62,70,259,513,246,218,132,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,1283,58,1283,1283,1283,1283]},"bins": {"c_to_s": [7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Kontiki","proto_id":"32","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1173,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1213662200284689,"flow_dst_last_pkt_time":1213662198298123,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1213662200284689,"pkt":"AAAMB6wIABVYKKDoCABFAAAwEAgAACARi0EKGSA7QMiUWE3sAFAAHLz5AgUiAE9LWIs\/euHNAAAE5AIEAQA="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1174,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1213662200285056,"flow_dst_last_pkt_time":1213662198298679,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1213662200285056,"pkt":"ABVYKKDoANABJAf8CABFAAA4wRIAAP8BpkIKGSADChkgOwMN8aAAAAAARQAAMBAIAAAfEYxBChkgO0DIlFhN7ABQABy8+Q=="}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2709,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1213662202284851,"flow_dst_last_pkt_time":1213662198298123,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1213662202284851,"pkt":"AAAMB6wIABVYKKDoCABFAAAwEJ8AACARiqoKGSA7QMiUWE3sAFAAHLz5AgUiAE9LWIs\/euHNAAAE5AIEAQA="}
@@ -50,10 +50,10 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6142394 bytes
-~~ total memory freed........: 6142394 bytes
+~~ total memory allocated....: 6142362 bytes
+~~ total memory freed........: 6142362 bytes
 ~~ total allocations/frees...: 124845/124845
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1861 chars
-~~ json string avg len.......: 1175 chars
+~~ json string max len.......: 1859 chars
+~~ json string avg len.......: 1174 chars
diff --git a/test/results/lisp_registration.pcap.out b/test/results/lisp_registration.pcap.out
index 6aa6ef724..64a593287 100644
--- a/test/results/lisp_registration.pcap.out
+++ b/test/results/lisp_registration.pcap.out
@@ -33,8 +33,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045495 bytes
-~~ total memory freed........: 6045495 bytes
+~~ total memory allocated....: 6045479 bytes
+~~ total memory freed........: 6045479 bytes
 ~~ total allocations/frees...: 121549/121549
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 502 chars
diff --git a/test/results/log4j-webapp-exploit.pcap.out b/test/results/log4j-webapp-exploit.pcap.out
index e802d1557..45e3282bc 100644
--- a/test/results/log4j-webapp-exploit.pcap.out
+++ b/test/results/log4j-webapp-exploit.pcap.out
@@ -28,7 +28,7 @@
 00345{"packet_event_id":1,"packet_event_name":"packet","packet_id":35,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"thread_ts_usec":1639425815944860,"pkt":"AAAAAQAGAkJ2jzQWAAAIBgABCAAGBAABAkJ2jzQWrBDuAQAAAAAAAKwQ7go="}
 00200{"error_event_id":2,"error_event_name":"Unknown L3 protocol","datalink":113,"packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054,"global_ts_usec":1639425820869752}
 00345{"packet_event_id":1,"packet_event_name":"packet","packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"thread_ts_usec":1639425815944860,"pkt":"AAQAAQAGAkKsEO4KAAAIBgABCAAGBAACAkKsEO4KrBDuCgJCdo80FqwQ7gE="}
-01511{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":46,"avg":474225.3,"max":7288582,"stddev":1789599.0,"var":3202664366080.0,"ent":1.1,"data": [143,183,7288581,7288582,60489,60668,256,174,116,102,89,87,86,86,151,159,99,144,121,87,73,51,50,48,47,46,47,47,47,46,81,0]},"pktlen": {"min":68,"avg":69.5,"max":76,"stddev":2.2,"var":4.6,"ent":5.0,"data": [76,76,68,71,68,69,68,69,68,69,68,69,68,69,68,69,68,69,68,71,68,73,68,71,68,71,68,71,68,71,68,71]},"bins": {"c_to_s": [17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}}
+01509{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":46,"avg":474225.3,"max":7288582,"stddev":1789599.0,"var":3202664366080.0,"ent":1.1,"data": [143,183,7288581,7288582,60489,60668,256,174,116,102,89,87,86,86,151,159,99,144,121,87,73,51,50,48,47,46,47,47,47,46,81]},"pktlen": {"min":68,"avg":69.5,"max":76,"stddev":2.2,"var":4.6,"ent":5.0,"data": [76,76,68,71,68,69,68,69,68,69,68,69,68,69,68,69,68,69,68,71,68,73,68,71,68,71,68,71,68,71,68,71]},"bins": {"c_to_s": [17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}}
 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1639425834628601,"flow_src_last_pkt_time":1639425834628601,"flow_dst_last_pkt_time":1639425834628601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639425834628601,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57742,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1639425834628601,"flow_dst_last_pkt_time":1639425834628601,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1639425834628601,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADxNdkAAQAa5DqwQ7gqsEO4L4Y4FbXfaWIQAAAAAoAJyEDRmAAACBAW0BAIICvIpXGkAAAAAAQMDBw=="}
@@ -61,10 +61,10 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6064223 bytes
-~~ total memory freed........: 6064223 bytes
+~~ total memory allocated....: 6064195 bytes
+~~ total memory freed........: 6064195 bytes
 ~~ total allocations/frees...: 121991/121991
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 204 chars
-~~ json string max len.......: 1516 chars
-~~ json string avg len.......: 859 chars
+~~ json string max len.......: 1514 chars
+~~ json string avg len.......: 858 chars
diff --git a/test/results/long_tls_certificate.pcap.out b/test/results/long_tls_certificate.pcap.out
index 1b534faae..37ce83b17 100644
--- a/test/results/long_tls_certificate.pcap.out
+++ b/test/results/long_tls_certificate.pcap.out
@@ -7,7 +7,7 @@
 01074{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756181671657,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609756181681181,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01136{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756182035428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1609756182035428,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 05273{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182035731,"flow_dst_last_pkt_time":1609756182035821,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":6858,"midstream":0,"thread_ts_usec":1609756182035821,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}}
-01576{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":87039.9,"max":370939,"stddev":130477.0,"var":17024251904.0,"ent":3.4,"data": [370788,370939,9373,360927,2844,76,70,354425,123,125,124,131,8073,8089,5763,200299,194564,174299,34,174324,4,2275,71,66,101,117,94097,91476,274609,24,6,0]},"pktlen": {"min":54,"avg":384.7,"max":1506,"stddev":546.6,"var":298744.2,"ent":3.8,"data": [78,78,54,571,60,1506,1506,1506,54,1506,54,1104,54,1104,66,180,1506,66,105,123,54,54,107,110,96,128,92,123,66,66,66,66]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1]}}
+01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":87039.9,"max":370939,"stddev":130477.0,"var":17024251904.0,"ent":3.4,"data": [370788,370939,9373,360927,2844,76,70,354425,123,125,124,131,8073,8089,5763,200299,194564,174299,34,174324,4,2275,71,66,101,117,94097,91476,274609,24,6]},"pktlen": {"min":54,"avg":384.7,"max":1506,"stddev":546.6,"var":298744.2,"ent":3.8,"data": [78,78,54,571,60,1506,1506,1506,54,1506,54,1104,54,1104,66,180,1506,66,105,123,54,54,107,110,96,128,92,123,66,66,66,66]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1]}}
 05275{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}}
 00931{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756183156414,"flow_dst_last_pkt_time":1609756183162351,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1073,"flow_dst_tot_l4_payload_len":11027,"midstream":0,"thread_ts_usec":1609756183162351,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00573{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","packets-captured":47,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":12100,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1609756183162351}
@@ -19,8 +19,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6436324 bytes
-~~ total memory freed........: 6436324 bytes
+~~ total memory allocated....: 6436320 bytes
+~~ total memory freed........: 6436320 bytes
 ~~ total allocations/frees...: 121728/121728
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 505 chars
diff --git a/test/results/malformed_dns.pcap.out b/test/results/malformed_dns.pcap.out
index 52a04af71..4a812a014 100644
--- a/test/results/malformed_dns.pcap.out
+++ b/test/results/malformed_dns.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035866 bytes
-~~ total memory freed........: 6035866 bytes
+~~ total memory allocated....: 6035862 bytes
+~~ total memory freed........: 6035862 bytes
 ~~ total allocations/frees...: 121495/121495
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/malformed_icmp.pcap.out b/test/results/malformed_icmp.pcap.out
index f317739f5..d0494e4f9 100644
--- a/test/results/malformed_icmp.pcap.out
+++ b/test/results/malformed_icmp.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/malware.pcap.out b/test/results/malware.pcap.out
index d4280207f..b1432975c 100644
--- a/test/results/malware.pcap.out
+++ b/test/results/malware.pcap.out
@@ -37,8 +37,8 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6084303 bytes
-~~ total memory freed........: 6084303 bytes
+~~ total memory allocated....: 6084283 bytes
+~~ total memory freed........: 6084283 bytes
 ~~ total allocations/frees...: 121617/121617
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/memcached.cap.out b/test/results/memcached.cap.out
index e3886e99e..857db8bd3 100644
--- a/test/results/memcached.cap.out
+++ b/test/results/memcached.cap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037983 bytes
-~~ total memory freed........: 6037983 bytes
+~~ total memory allocated....: 6037979 bytes
+~~ total memory freed........: 6037979 bytes
 ~~ total allocations/frees...: 121498/121498
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/mgcp.pcapng.out b/test/results/mgcp.pcapng.out
index 46da22b1d..efbd61195 100644
--- a/test/results/mgcp.pcapng.out
+++ b/test/results/mgcp.pcapng.out
@@ -23,8 +23,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037853 bytes
-~~ total memory freed........: 6037853 bytes
+~~ total memory allocated....: 6037845 bytes
+~~ total memory freed........: 6037845 bytes
 ~~ total allocations/frees...: 121517/121517
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/modbus.pcap.out b/test/results/modbus.pcap.out
index 9f813163c..66036a8cc 100644
--- a/test/results/modbus.pcap.out
+++ b/test/results/modbus.pcap.out
@@ -5,7 +5,7 @@
 00868{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541953927963,"flow_dst_last_pkt_time":1223541953927963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1223541953927963,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1223541953927963,"flow_dst_last_pkt_time":1223541953929098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1223541953929098,"pkt":"AArkxYMKABzAX0kKCABFAAAzO9pAAIAGYIzAqG6KwKhugwH2CBrhFTrOQdLq0lAY++v\/BAAAANEAAAAFAQMCAAA="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1223541953929171,"flow_dst_last_pkt_time":1223541953929098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1223541953929171,"pkt":"ABzAX0kKAArkxYMKCABFAAA0i\/5AAIAGEGfAqG6DwKhuiggaAfZB0urS4RU62VAY\/LsAJgAAANIAAAAGAQMAAAAB"}
-01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541960939284,"flow_dst_last_pkt_time":1223541960940128,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":176,"midstream":1,"thread_ts_usec":1223541960940128,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":835,"avg":452370.5,"max":1014211,"stddev":497296.8,"var":247304159232.0,"ent":3.8,"data": [1135,1208,905,1013603,1014211,1539,891,986516,986873,1217,900,1000224,1000513,1187,905,1000230,1000558,1232,911,1000222,1000609,1645,915,999845,1000447,1173,835,1000242,1000645,1238,912,0]},"pktlen": {"min":65,"avg":65.5,"max":66,"stddev":0.5,"var":0.2,"ent":5.0,"data": [66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
+01717{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541960939284,"flow_dst_last_pkt_time":1223541960940128,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":176,"midstream":1,"thread_ts_usec":1223541960940128,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":835,"avg":452370.5,"max":1014211,"stddev":497296.8,"var":247304159232.0,"ent":3.8,"data": [1135,1208,905,1013603,1014211,1539,891,986516,986873,1217,900,1000224,1000513,1187,905,1000230,1000558,1232,911,1000222,1000609,1645,915,999845,1000447,1173,835,1000242,1000645,1238,912]},"pktlen": {"min":65,"avg":65.5,"max":66,"stddev":0.5,"var":0.2,"ent":5.0,"data": [66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00915{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":102,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":51,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541977036283,"flow_dst_last_pkt_time":1223541977037227,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":612,"flow_dst_tot_l4_payload_len":561,"midstream":1,"thread_ts_usec":1223541977037227,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":102,"source":"modbus.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":102,"total-skipped-flows":0,"total-l4-payload-len":1173,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1223541977037227}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038603 bytes
-~~ total memory freed........: 6038603 bytes
+~~ total memory allocated....: 6038599 bytes
+~~ total memory freed........: 6038599 bytes
 ~~ total allocations/frees...: 121589/121589
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1724 chars
-~~ json string avg len.......: 1052 chars
+~~ json string max len.......: 1722 chars
+~~ json string avg len.......: 1051 chars
diff --git a/test/results/monero.pcap.out b/test/results/monero.pcap.out
index 7936113fa..4d5bbf944 100644
--- a/test/results/monero.pcap.out
+++ b/test/results/monero.pcap.out
@@ -10,8 +10,8 @@
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1514196196437568,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1514196196745688,"pkt":"cIXCQ0+ifmgbW\/gUCABFAAA0AABAACEGefF006fDwKgClA0F0lYVgl9O8ygDlIASchDSRAAAAgQFpAEBBAIBAwMH"}
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1514196196745729,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1514196196745729,"pkt":"fmgbW\/gUcIXCQ0+iCABFAAAoltdAAEAGxCXAqAKUdNOnw9JWDQXzKAOUFYJfT1AQAOWEMgAA"}
 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196196745906,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":98,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":98,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1514196196745906,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-01982{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514196304559034,"flow_dst_last_pkt_time":1514196304640605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":8887,"flow_dst_tot_l4_payload_len":914,"midstream":0,"thread_ts_usec":1514196304640605,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":7499954.5,"max":71693099,"stddev":18613570.0,"var":346464978993152.0,"ent":2.4,"data": [80304,80325,101,83178,13,83088,126,80997,13,80884,278,117985,882322,1042483,71569648,189,71693099,19,725,81617,32242169,176,32323370,1466,82454,7432953,7432942,3511834,196,3592651,986,0]},"pktlen": {"min":66,"avg":372.8,"max":1514,"stddev":549.1,"var":301531.9,"ent":3.8,"data": [74,74,66,164,66,128,66,161,104,185,66,126,66,376,66,1514,1496,66,66,91,66,1514,1496,66,91,66,376,66,1514,1496,66,91]},"bins": {"c_to_s": [8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0],"s_to_c": [10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-02033{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196705571136,"flow_dst_last_pkt_time":1514196705879789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":2699,"midstream":0,"thread_ts_usec":1514196705879789,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32857284.0,"max":170525395,"stddev":51784400.0,"var":2681624034541568.0,"ent":3.4,"data": [308120,308161,177,308150,13,308019,704,308743,11,308008,83,346736,653907,1043085,114411206,114368750,308565,308538,36863210,36863172,20419867,20419875,170525387,170525395,113243496,113243486,35871285,35871309,15564630,176,15873525,0]},"pktlen": {"min":54,"avg":237.6,"max":1498,"stddev":347.6,"var":120860.4,"ent":4.1,"data": [74,66,54,152,60,116,54,147,92,173,54,114,60,364,54,364,54,364,54,364,54,364,54,364,54,364,54,364,54,1498,1486,60]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0],"s_to_c": [4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+01980{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514196304559034,"flow_dst_last_pkt_time":1514196304640605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":8887,"flow_dst_tot_l4_payload_len":914,"midstream":0,"thread_ts_usec":1514196304640605,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":7499954.5,"max":71693099,"stddev":18613570.0,"var":346464978993152.0,"ent":2.4,"data": [80304,80325,101,83178,13,83088,126,80997,13,80884,278,117985,882322,1042483,71569648,189,71693099,19,725,81617,32242169,176,32323370,1466,82454,7432953,7432942,3511834,196,3592651,986]},"pktlen": {"min":66,"avg":372.8,"max":1514,"stddev":549.1,"var":301531.9,"ent":3.8,"data": [74,74,66,164,66,128,66,161,104,185,66,126,66,376,66,1514,1496,66,66,91,66,1514,1496,66,91,66,376,66,1514,1496,66,91]},"bins": {"c_to_s": [8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0],"s_to_c": [10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+02031{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196705571136,"flow_dst_last_pkt_time":1514196705879789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":2699,"midstream":0,"thread_ts_usec":1514196705879789,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32857284.0,"max":170525395,"stddev":51784400.0,"var":2681624034541568.0,"ent":3.4,"data": [308120,308161,177,308150,13,308019,704,308743,11,308008,83,346736,653907,1043085,114411206,114368750,308565,308538,36863210,36863172,20419867,20419875,170525387,170525395,113243496,113243486,35871285,35871309,15564630,176,15873525]},"pktlen": {"min":54,"avg":237.6,"max":1498,"stddev":347.6,"var":120860.4,"ent":4.1,"data": [74,66,54,152,60,116,54,147,92,173,54,114,60,364,54,364,54,364,54,364,54,364,54,364,54,364,54,364,54,1498,1486,60]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0],"s_to_c": [4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":199,"source":"monero.pcap","alias":"nDPId-test","packets-captured":199,"packets-processed":198,"total-skipped-flows":0,"total-l4-payload-len":82647,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1514196819733875}
 01148{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":319,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514197261597871,"flow_dst_last_pkt_time":1514197261597824,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":4584,"midstream":0,"thread_ts_usec":1514197279769698,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 01150{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":319,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":159,"flow_dst_packets_processed":113,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514197279769698,"flow_dst_last_pkt_time":1514197279769664,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":132641,"flow_dst_tot_l4_payload_len":5738,"midstream":0,"thread_ts_usec":1514197279769698,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
@@ -24,10 +24,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6058852 bytes
-~~ total memory freed........: 6058852 bytes
+~~ total memory allocated....: 6058844 bytes
+~~ total memory freed........: 6058844 bytes
 ~~ total allocations/frees...: 121820/121820
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 2038 chars
-~~ json string avg len.......: 1256 chars
+~~ json string max len.......: 2036 chars
+~~ json string avg len.......: 1255 chars
diff --git a/test/results/mongo_false_positive.pcapng.out b/test/results/mongo_false_positive.pcapng.out
index 3c042bed0..777bacf7d 100644
--- a/test/results/mongo_false_positive.pcapng.out
+++ b/test/results/mongo_false_positive.pcapng.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038419 bytes
-~~ total memory freed........: 6038419 bytes
+~~ total memory allocated....: 6038415 bytes
+~~ total memory freed........: 6038415 bytes
 ~~ total allocations/frees...: 121513/121513
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 507 chars
diff --git a/test/results/mongodb.pcap.out b/test/results/mongodb.pcap.out
index 090b7566e..4dbd5d9f0 100644
--- a/test/results/mongodb.pcap.out
+++ b/test/results/mongodb.pcap.out
@@ -43,8 +43,8 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045072 bytes
-~~ total memory freed........: 6045072 bytes
+~~ total memory allocated....: 6045052 bytes
+~~ total memory freed........: 6045052 bytes
 ~~ total allocations/frees...: 121558/121558
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/mpeg-dash.pcap.out b/test/results/mpeg-dash.pcap.out
index 38592a785..bef9b585a 100644
--- a/test/results/mpeg-dash.pcap.out
+++ b/test/results/mpeg-dash.pcap.out
@@ -33,8 +33,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6041411 bytes
-~~ total memory freed........: 6041411 bytes
+~~ total memory allocated....: 6041395 bytes
+~~ total memory freed........: 6041395 bytes
 ~~ total allocations/frees...: 121539/121539
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/mpeg.pcap.out b/test/results/mpeg.pcap.out
index 51aa95520..e3d911af9 100644
--- a/test/results/mpeg.pcap.out
+++ b/test/results/mpeg.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036254 bytes
-~~ total memory freed........: 6036254 bytes
+~~ total memory allocated....: 6036250 bytes
+~~ total memory freed........: 6036250 bytes
 ~~ total allocations/frees...: 121509/121509
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/mpegts.pcap.out b/test/results/mpegts.pcap.out
index 0b2d35cd9..66bee8352 100644
--- a/test/results/mpegts.pcap.out
+++ b/test/results/mpegts.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035646 bytes
-~~ total memory freed........: 6035646 bytes
+~~ total memory allocated....: 6035642 bytes
+~~ total memory freed........: 6035642 bytes
 ~~ total allocations/frees...: 121487/121487
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/mqtt.pcap.out b/test/results/mqtt.pcap.out
index 61703f4fc..3e1596b19 100644
--- a/test/results/mqtt.pcap.out
+++ b/test/results/mqtt.pcap.out
@@ -19,8 +19,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037534 bytes
-~~ total memory freed........: 6037534 bytes
+~~ total memory allocated....: 6037526 bytes
+~~ total memory freed........: 6037526 bytes
 ~~ total allocations/frees...: 121506/121506
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/mssql_tds.pcap.out b/test/results/mssql_tds.pcap.out
index f1d8db1cc..182624146 100644
--- a/test/results/mssql_tds.pcap.out
+++ b/test/results/mssql_tds.pcap.out
@@ -66,8 +66,8 @@
 ~~ total active/idle flows...: 12/12
 ~~ total timeout flows.......: 1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6056703 bytes
-~~ total memory freed........: 6056703 bytes
+~~ total memory allocated....: 6056655 bytes
+~~ total memory freed........: 6056655 bytes
 ~~ total allocations/frees...: 121636/121636
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/mysql-8.pcap.out b/test/results/mysql-8.pcap.out
index 43aca8eed..2ee30a387 100644
--- a/test/results/mysql-8.pcap.out
+++ b/test/results/mysql-8.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035761 bytes
-~~ total memory freed........: 6035761 bytes
+~~ total memory allocated....: 6035757 bytes
+~~ total memory freed........: 6035757 bytes
 ~~ total allocations/frees...: 121491/121491
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/natpmp.pcap.out b/test/results/natpmp.pcap.out
index 14980cdc1..cedd00f8c 100644
--- a/test/results/natpmp.pcap.out
+++ b/test/results/natpmp.pcap.out
@@ -24,8 +24,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039104 bytes
-~~ total memory freed........: 6039104 bytes
+~~ total memory allocated....: 6039092 bytes
+~~ total memory freed........: 6039092 bytes
 ~~ total allocations/frees...: 121514/121514
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/nats.pcap.out b/test/results/nats.pcap.out
index e4c914e3e..d87a8149f 100644
--- a/test/results/nats.pcap.out
+++ b/test/results/nats.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042152 bytes
-~~ total memory freed........: 6042152 bytes
+~~ total memory allocated....: 6042144 bytes
+~~ total memory freed........: 6042144 bytes
 ~~ total allocations/frees...: 121526/121526
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/ndpi_match_string_subprotocol__error.pcapng.out b/test/results/ndpi_match_string_subprotocol__error.pcapng.out
index d8fb5323e..7074709c4 100644
--- a/test/results/ndpi_match_string_subprotocol__error.pcapng.out
+++ b/test/results/ndpi_match_string_subprotocol__error.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036167 bytes
-~~ total memory freed........: 6036167 bytes
+~~ total memory allocated....: 6036163 bytes
+~~ total memory freed........: 6036163 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 523 chars
diff --git a/test/results/nest_log_sink.pcap.out b/test/results/nest_log_sink.pcap.out
index 873e3ceeb..af1d35378 100644
--- a/test/results/nest_log_sink.pcap.out
+++ b/test/results/nest_log_sink.pcap.out
@@ -5,7 +5,7 @@
 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1536712992228658,"flow_dst_last_pkt_time":1536712992289465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1536712992289465,"pkt":"GLQwJjRAAJD7JidrCABFAAAoNpRAAC0G7egjrlLtwKjyDytX92zEgGGFCKi\/QFAQgdDz\/QAA"}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1536713052295189,"flow_dst_last_pkt_time":1536712992289465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536713052295189,"pkt":"AJD7JidrGLQwJjRACABFAAAoL2MAAP8GYxnAqPIPI65S7fdsK1cIqL8\/xIBhhVAQD+Vl6gAAAAAAAAAA"}
 00559{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":51,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":51,"packets-processed":30,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":7,"global_ts_usec":1536713593921755}
-01651{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":60807,"avg":38820860.0,"max":60122070,"stddev":28558074.0,"var":815563555209216.0,"ent":4.3,"data": [60807,60066531,60070988,444607,512208,60052382,60122070,60064103,60058548,139368,204086,59876012,59944753,60065849,60071735,305546,379257,59710128,59782330,60066153,60065042,470660,541865,60021230,60097006,60071977,60059874,163527,227320,59833996,59896720,0]},"pktlen": {"min":54,"avg":57.0,"max":60,"stddev":3.0,"var":9.0,"ent":5.0,"data": [60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]}}
+01649{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":60807,"avg":38820860.0,"max":60122070,"stddev":28558074.0,"var":815563555209216.0,"ent":4.3,"data": [60807,60066531,60070988,444607,512208,60052382,60122070,60064103,60058548,139368,204086,59876012,59944753,60065849,60071735,305546,379257,59710128,59782330,60066153,60065042,470660,541865,60021230,60097006,60071977,60059874,163527,227320,59833996,59896720]},"pktlen": {"min":54,"avg":57.0,"max":60,"stddev":3.0,"var":9.0,"ent":5.0,"data": [60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]}}
 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":101,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":101,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1536714195599741}
@@ -19,7 +19,7 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1536714602612148,"flow_dst_last_pkt_time":1536714602681891,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536714602681891,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX927RT8zNCL8kJGASbvDKWAAAAgQFjA=="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1536714602684345,"flow_dst_last_pkt_time":1536714602681891,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536714602684345,"pkt":"AJD7JidrGLQwJjRACABFAAAoL4sAAP8GGxbAqPIPI7yauvduK1cIvyQk0U\/MzlAQEgA+3gAAAAAAAAAA"}
 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714604778211,"flow_dst_last_pkt_time":1536714603395466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":583,"flow_dst_tot_l4_payload_len":679,"midstream":0,"thread_ts_usec":1536714604778211,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714605710820,"flow_dst_last_pkt_time":1536714605694468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5203,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536714605710820,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":199386.8,"max":1490586,"stddev":353669.1,"var":125081829376.0,"ent":3.7,"data": [69743,72197,635648,708301,5274,110825,1347393,1490586,118042,84290,55,88866,80271,82780,83378,79961,79977,80201,79559,79635,80946,81395,80711,79963,79339,79335,79882,72223,8456,80008,81752,0]},"pktlen": {"min":54,"avg":255.9,"max":733,"stddev":219.8,"var":48330.3,"ent":4.5,"data": [60,58,60,585,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714605710820,"flow_dst_last_pkt_time":1536714605694468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5203,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536714605710820,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":199386.8,"max":1490586,"stddev":353669.1,"var":125081829376.0,"ent":3.7,"data": [69743,72197,635648,708301,5274,110825,1347393,1490586,118042,84290,55,88866,80271,82780,83378,79961,79977,80201,79559,79635,80946,81395,80711,79963,79339,79335,79882,72223,8456,80008,81752]},"pktlen": {"min":54,"avg":255.9,"max":733,"stddev":219.8,"var":48330.3,"ent":4.5,"data": [60,58,60,585,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714602587655,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1536714607328073,"pkt":"AJD7JidrGLQwJjRACABFAABXL7IAAP8RJoHAqPIPwKjyAc5xADUAQyQGbMYBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":214,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714607530778,"flow_dst_last_pkt_time":1536714607530778,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536714607530778,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1536714607530778,"flow_dst_last_pkt_time":1536714607530778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536714607530778,"pkt":"AJD7JidrGLQwJjRACABFAAAsL7MAAP8GYsXAqPIPI65S7fdvK1cIymiPAAAAAGACEgDJ5gAAAgQEgAAA"}
@@ -32,7 +32,7 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1536714610318069,"flow_dst_last_pkt_time":1536714610314466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536714610318069,"pkt":"AJD7JidrGLQwJjRACABFAAAoL78AAP8GGuLAqPIPI7yauvdwK1cI1a0IXLN8VlAQEgB69gAAAAAAAAAA"}
 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":3,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615108363,"flow_dst_last_pkt_time":1536714613730371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536714615108363,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":268,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536714602587299,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714607527675,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536714675297074,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01788{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":270,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714735302616,"flow_dst_last_pkt_time":1536714735750574,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536714735750574,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7081,"avg":8257794.5,"max":60077555,"stddev":19898212.0,"var":395938807939072.0,"ent":2.4,"data": [64103,66685,638775,711013,16458,201353,1246735,1463240,104910,69439,22020,94707,71220,78130,7081,87220,75789,84472,84342,76407,307337,280726,43263,5019615,5092313,178784,59560541,59727665,60063791,60077555,375945,0]},"pktlen": {"min":54,"avg":181.0,"max":731,"stddev":184.8,"var":34140.6,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,215,60,346,116,60,60,54,60,54,54]},"bins": {"c_to_s": [9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":270,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714735302616,"flow_dst_last_pkt_time":1536714735750574,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536714735750574,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7081,"avg":8257794.5,"max":60077555,"stddev":19898212.0,"var":395938807939072.0,"ent":2.4,"data": [64103,66685,638775,711013,16458,201353,1246735,1463240,104910,69439,22020,94707,71220,78130,7081,87220,75789,84472,84342,76407,307337,280726,43263,5019615,5092313,178784,59560541,59727665,60063791,60077555,375945]},"pktlen": {"min":54,"avg":181.0,"max":731,"stddev":184.8,"var":34140.6,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,215,60,346,116,60,60,54,60,54,54]},"bins": {"c_to_s": [9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00939{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":42,"flow_dst_packets_processed":41,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536714607325706,"flow_dst_last_pkt_time":1536714607385830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":62,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":62,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":35,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714607322501,"flow_dst_last_pkt_time":1536714607319686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":12610,"flow_dst_tot_l4_payload_len":2221,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":10,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615546363,"flow_dst_last_pkt_time":1536714615544009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -51,7 +51,7 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":409,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1536716402828004,"flow_dst_last_pkt_time":1536716402889007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536716402889007,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93El8kNOCOENtmASbvAVfwAAAgQFjA=="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":410,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1536716402894336,"flow_dst_last_pkt_time":1536716402889007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536716402894336,"pkt":"AJD7JidrGLQwJjRACABFAAAoL\/kAAP8GGqjAqPIPI7yauvdxK1cI4Q22JfJDT1AQEgCKBAAAAAAAAAAA"}
 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":415,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716404974579,"flow_dst_last_pkt_time":1536716403590967,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536716404974579,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716405720045,"flow_dst_last_pkt_time":1536716405705936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536716405720045,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":186128.2,"max":1477502,"stddev":337855.8,"var":114146574336.0,"ent":3.6,"data": [61003,66332,638637,696721,5239,274658,1166948,1477502,96252,57032,33,69584,64878,63516,66188,66283,63911,64139,63928,63783,65164,65050,63165,63274,64227,64111,63788,54150,11824,65153,63500,0]},"pktlen": {"min":54,"avg":255.9,"max":732,"stddev":219.7,"var":48280.0,"ent":4.5,"data": [60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716405720045,"flow_dst_last_pkt_time":1536716405705936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536716405720045,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":186128.2,"max":1477502,"stddev":337855.8,"var":114146574336.0,"ent":3.6,"data": [61003,66332,638637,696721,5239,274658,1166948,1477502,96252,57032,33,69584,64878,63516,66188,66283,63911,64139,63928,63783,65164,65050,63165,63274,64227,64111,63788,54150,11824,65153,63500]},"pktlen": {"min":54,"avg":255.9,"max":732,"stddev":219.7,"var":48280.0,"ent":4.5,"data": [60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":483,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716402805070,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1536716407003782,"pkt":"AJD7JidrGLQwJjRACABFAABXMB8AAP8RJhTAqPIPwKjyAc5xADUAQ16pMiMBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":486,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716407119984,"flow_dst_last_pkt_time":1536716407119984,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536716407119984,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1536716407119984,"flow_dst_last_pkt_time":1536716407119984,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536716407119984,"pkt":"AJD7JidrGLQwJjRACABFAAAsMCAAAP8GYljAqPIPI65S7fdyK1cI7G5zAAAAAGACEgDD3QAAAgQEgAAA"}
@@ -68,7 +68,7 @@
 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":36,"flow_dst_packets_processed":35,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716406969810,"flow_dst_last_pkt_time":1536716406967430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":12633,"flow_dst_tot_l4_payload_len":2220,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1536716409847406,"flow_src_last_pkt_time":1536716412657238,"flow_dst_last_pkt_time":1536716412651629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":1413,"flow_dst_tot_l4_payload_len":846,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63347,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01791{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6654,"avg":10037526.0,"max":60065954,"stddev":21842106.0,"var":477077551710208.0,"ent":2.6,"data": [66203,68921,634989,702416,15391,245970,1210603,1481601,108755,76207,16822,97423,70982,72827,6654,85865,79238,75829,75050,77170,97357,2619475,2881135,371772,59569035,59778516,60065954,60063694,377489,447329,59622627,0]},"pktlen": {"min":54,"avg":176.2,"max":731,"stddev":185.8,"var":34538.8,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,54,60,60]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01789{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6654,"avg":10037526.0,"max":60065954,"stddev":21842106.0,"var":477077551710208.0,"ent":2.6,"data": [66203,68921,634989,702416,15391,245970,1210603,1481601,108755,76207,16822,97423,70982,72827,6654,85865,79238,75829,75050,77170,97357,2619475,2881135,371772,59569035,59778516,60065954,60063694,377489,447329,59622627]},"pktlen": {"min":54,"avg":176.2,"max":731,"stddev":185.8,"var":34538.8,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,54,60,60]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":547,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716592575967,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":547,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":547,"packets-processed":424,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":73,"global_ts_usec":1536716652586979}
 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":595,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":595,"packets-processed":452,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":74,"global_ts_usec":1536717254253428}
@@ -83,7 +83,7 @@
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":615,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1536717428089363,"flow_dst_last_pkt_time":1536717428146200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536717428146200,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93SD5IA7CQNADmASbvBIIgAAAgQFjA=="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":616,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1536717428152738,"flow_dst_last_pkt_time":1536717428146200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536717428152738,"pkt":"AJD7JidrGLQwJjRACABFAAAoMFIAAP8GGk\/AqPIPI7yauvd0K1cJA0AOg+SAPFAQEgC8pwAAAAAAAAAA"}
 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":621,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430226245,"flow_dst_last_pkt_time":1536717428843719,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536717430226245,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":645,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430971296,"flow_dst_last_pkt_time":1536717430957587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536717430971296,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":185488.9,"max":1475007,"stddev":337125.5,"var":113653596160.0,"ent":3.6,"data": [56837,63375,631089,692531,4988,275292,1167126,1475007,94881,56956,41,68349,63598,63560,63263,63527,64323,71144,70310,64275,64470,63960,64294,64276,63689,63201,62870,53104,10769,65047,64005,0]},"pktlen": {"min":54,"avg":255.9,"max":732,"stddev":219.7,"var":48280.0,"ent":4.5,"data": [60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":645,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430971296,"flow_dst_last_pkt_time":1536717430957587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536717430971296,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":185488.9,"max":1475007,"stddev":337125.5,"var":113653596160.0,"ent":3.6,"data": [56837,63375,631089,692531,4988,275292,1167126,1475007,94881,56956,41,68349,63598,63560,63263,63527,64323,71144,70310,64275,64470,63960,64294,64276,63689,63201,62870,53104,10769,65047,64005]},"pktlen": {"min":54,"avg":255.9,"max":732,"stddev":219.7,"var":48280.0,"ent":4.5,"data": [60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450091191,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536717450091191,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450091191,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536717450091191,"pkt":"AJD7JidrGLQwJjRACABFAAAsMG8AAP8GYgnAqPIPI65S7fd1K1cJDrE1AAAAAGACEgCA9gAAAgQEgAAA"}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":675,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450156309,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536717450156309,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93XProMNCQ6xNmASaQPV8QAAAgQFtA=="}
@@ -94,7 +94,7 @@
 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":707,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":24,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717431514012,"flow_dst_last_pkt_time":1536717431511560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":7728,"flow_dst_tot_l4_payload_len":1615,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":707,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":711,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717632764427,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01794{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4297,"avg":15667489.0,"max":60116188,"stddev":26141992.0,"var":683403720523776.0,"ent":3.1,"data": [65118,68086,678411,747347,17507,94704,1396423,1507704,104371,70568,14503,87690,68949,72988,7038,83601,72569,4297,74338,110547,112155,137112,59606094,59757940,60076789,60061094,60093385,60092412,60108066,60116188,184155,0]},"pktlen": {"min":54,"avg":159.1,"max":732,"stddev":181.0,"var":32752.9,"ent":4.3,"data": [60,58,60,584,54,732,60,106,54,258,54,114,176,683,60,234,204,60,234,215,346,116,60,60,54,60,54,60,54,60,54,54]},"bins": {"c_to_s": [10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01792{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4297,"avg":15667489.0,"max":60116188,"stddev":26141992.0,"var":683403720523776.0,"ent":3.1,"data": [65118,68086,678411,747347,17507,94704,1396423,1507704,104371,70568,14503,87690,68949,72988,7038,83601,72569,4297,74338,110547,112155,137112,59606094,59757940,60076789,60061094,60093385,60092412,60108066,60116188,184155]},"pktlen": {"min":54,"avg":159.1,"max":732,"stddev":181.0,"var":32752.9,"ent":4.3,"data": [60,58,60,584,54,732,60,106,54,258,54,114,176,683,60,234,204,60,234,215,346,116,60,60,54,60,54,60,54,60,54,54]},"bins": {"c_to_s": [10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00570{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":727,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":727,"packets-processed":562,"total-skipped-flows":0,"total-l4-payload-len":56297,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":12,"total-detection-updates":3,"total-updates":6,"current-active-flows":1,"total-active-flows":12,"total-idle-flows":11,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":98,"global_ts_usec":1536717873194026}
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":745,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718052990525,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":745,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718052990525,"pkt":"AJD7JidrGLQwJjRACABFAAAsMIsAAP8GYe3AqPIPI65S7fd2K1cJGivXAAAAAGACEgAGSAAAAgQEgAAA"}
@@ -112,10 +112,10 @@
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":782,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1536718202984094,"flow_dst_last_pkt_time":1536718203039605,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718203039605,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93fElurmCSWo1mASbvAz1wAAAgQFjA=="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":783,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1536718203042198,"flow_dst_last_pkt_time":1536718203039605,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536718203042198,"pkt":"AJD7JidrGLQwJjRACABFAAAoMJwAAP8GGgXAqPIPI7yauvd3K1cJJajWxJbq51AQEgCoXAAAAAAAAAAA"}
 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":788,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205132060,"flow_dst_last_pkt_time":1536718203746505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":679,"midstream":0,"thread_ts_usec":1536718205132060,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
-01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":812,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205917650,"flow_dst_last_pkt_time":1536718205903699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536718205917650,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":188811.6,"max":1484002,"stddev":352858.6,"var":124509216768.0,"ent":3.6,"data": [55511,58104,637607,698601,8299,132470,1319785,1484002,100866,62363,34,73666,66291,66062,64356,70801,72468,66245,63705,65435,67073,65571,63470,63974,64872,66987,66191,76434,5185,82369,64364,0]},"pktlen": {"min":54,"avg":255.9,"max":733,"stddev":219.8,"var":48309.8,"ent":4.5,"data": [60,58,60,584,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":812,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205917650,"flow_dst_last_pkt_time":1536718205903699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536718205917650,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":188811.6,"max":1484002,"stddev":352858.6,"var":124509216768.0,"ent":3.6,"data": [55511,58104,637607,698601,8299,132470,1319785,1484002,100866,62363,34,73666,66291,66062,64356,70801,72468,66245,63705,65435,67073,65571,63470,63974,64872,66987,66191,76434,5185,82369,64364]},"pktlen": {"min":54,"avg":255.9,"max":733,"stddev":219.8,"var":48309.8,"ent":4.5,"data": [60,58,60,584,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206572751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718206572751,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206572751,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718206572751,"pkt":"AJD7JidrGLQwJjRACABFAAAsMLcAAP8GYcHAqPIPI65S7fd4K1cJMSXhAAAAAGACEgAMJQAAAgQEgAAA"}
-01787{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":835,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718206634864,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1252,"avg":9910454.0,"max":60155801,"stddev":20689402.0,"var":428051338887168.0,"ent":2.7,"data": [68635,72232,634362,701888,15937,150934,1314255,1491295,109213,70989,18037,93450,70186,72141,7151,80030,74076,77118,76505,41618,115484,208508,59946855,60155801,60057740,60124304,30586012,30652885,66856,1252,68314,0]},"pktlen": {"min":54,"avg":161.1,"max":731,"stddev":180.1,"var":32452.7,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,258,54,114,176,683,60,234,204,234,215,60,346,116,60,60,54,54,60,116,54,60,60,54]},"bins": {"c_to_s": [10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01785{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":835,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718206634864,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1252,"avg":9910454.0,"max":60155801,"stddev":20689402.0,"var":428051338887168.0,"ent":2.7,"data": [68635,72232,634362,701888,15937,150934,1314255,1491295,109213,70989,18037,93450,70186,72141,7151,80030,74076,77118,76505,41618,115484,208508,59946855,60155801,60057740,60124304,30586012,30652885,66856,1252,68314]},"pktlen": {"min":54,"avg":161.1,"max":731,"stddev":180.1,"var":32452.7,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,258,54,114,176,683,60,234,204,234,215,60,346,116,60,60,54,54,60,116,54,60,60,54]},"bins": {"c_to_s": [10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":836,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206638073,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718206638073,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93jm8XvxCTEl4mASaQNQ+QAAAgQFtA=="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":837,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1536718206640512,"flow_dst_last_pkt_time":1536718206638073,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536718206640512,"pkt":"AJD7JidrGLQwJjRACABFAAAoMLgAAP8GYcTAqPIPI65S7fd4K1cJMSXi5vF78lAQEgC\/uQAAAAAAAAAA"}
 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":844,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718208745973,"flow_dst_last_pkt_time":1536718207366595,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":584,"flow_dst_tot_l4_payload_len":676,"midstream":0,"thread_ts_usec":1536718208745973,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -129,7 +129,7 @@
 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":24,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718206546300,"flow_dst_last_pkt_time":1536718206542604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":7843,"flow_dst_tot_l4_payload_len":1616,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00926{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1536718209313555,"flow_src_last_pkt_time":1536718211968199,"flow_dst_last_pkt_time":1536718211965770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1413,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63353,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00911{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01790{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4658,"avg":10044835.0,"max":60173109,"stddev":21953530.0,"var":481957439864832.0,"ent":2.6,"data": [65322,67761,637540,709814,18708,293379,1174542,1481999,109107,72201,17976,90820,70287,73214,8669,96471,87696,75885,78977,77415,126677,2595650,2731016,150399,59910787,60056830,60173109,60107028,4658,60634,60165330,0]},"pktlen": {"min":54,"avg":176.2,"max":730,"stddev":185.8,"var":34529.8,"ent":4.4,"data": [60,58,60,586,54,730,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,60,54,60]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01788{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4658,"avg":10044835.0,"max":60173109,"stddev":21953530.0,"var":481957439864832.0,"ent":2.6,"data": [65322,67761,637540,709814,18708,293379,1174542,1481999,109107,72201,17976,90820,70287,73214,8669,96471,87696,75885,78977,77415,126677,2595650,2731016,150399,59910787,60056830,60173109,60107028,4658,60634,60165330]},"pktlen": {"min":54,"avg":176.2,"max":730,"stddev":185.8,"var":34529.8,"ent":4.4,"data": [60,58,60,586,54,730,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,60,54,60]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00909{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":896,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718392405835,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":900,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":900,"packets-processed":713,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":4,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":134,"global_ts_usec":1536718512170528}
 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":950,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":950,"packets-processed":743,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":4,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":135,"global_ts_usec":1536719113902134}
@@ -144,10 +144,10 @@
 ~~ total active/idle flows...: 17/17
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6108715 bytes
-~~ total memory freed........: 6108715 bytes
+~~ total memory allocated....: 6108647 bytes
+~~ total memory freed........: 6108647 bytes
 ~~ total allocations/frees...: 122433/122433
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
-~~ json string max len.......: 1799 chars
-~~ json string avg len.......: 1147 chars
+~~ json string max len.......: 1797 chars
+~~ json string avg len.......: 1146 chars
diff --git a/test/results/netbios.pcap.out b/test/results/netbios.pcap.out
index 2bd221192..9aee9ca46 100644
--- a/test/results/netbios.pcap.out
+++ b/test/results/netbios.pcap.out
@@ -16,7 +16,7 @@
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":28,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772216537634,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1447772216537634,"l3_proto":"ip4","src_ip":"10.0.4.24","dst_ip":"10.0.4.131","src_port":139,"dst_port":1398,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537634,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1447772216537634,"pkt":"ABj+bLz3ABzEEHkPCABFAAApQatAAIAGnIkKAAQYCgAEgwCLBXatXRk68Re6KFAQ96kjtgAAAAAAAAAA"}
 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537735,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1447772216537735,"pkt":"ABzEEHkPABj+bLz3CABFAAAoY6dAAIAGeo4KAASDCgAEGAV2AIvxF7oorV0ZO1AQ+ycgOAAAAAAAAAAA"}
-01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"netbios.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772210350540,"flow_src_last_pkt_time":1447772220435262,"flow_dst_last_pkt_time":1447772210350540,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772220435262,"l3_proto":"ip4","src_ip":"10.0.4.131","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14022,"avg":325313.6,"max":749995,"stddev":214669.9,"var":46083158016.0,"ent":4.6,"data": [471274,14022,264705,470792,80220,113829,555812,80046,113289,146849,489849,113312,146439,749995,33651,749542,308595,441426,307586,628917,121033,628920,470970,278997,470688,458539,291466,334217,123758,93119,532865,0]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"netbios.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772210350540,"flow_src_last_pkt_time":1447772220435262,"flow_dst_last_pkt_time":1447772210350540,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772220435262,"l3_proto":"ip4","src_ip":"10.0.4.131","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14022,"avg":325313.6,"max":749995,"stddev":214669.9,"var":46083158016.0,"ent":4.6,"data": [471274,14022,264705,470792,80220,113829,555812,80046,113289,146849,489849,113312,146439,749995,33651,749542,308595,441426,307586,628917,121033,628920,470970,278997,470688,458539,291466,334217,123758,93119,532865]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772221776592,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772221776592,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57836,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772221776592,"pkt":"ABzEEHkPACFislxDCABFAABOBFAAAH8RHeEKAAFXCgAEGOHsAIkAOqS0IKgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="}
 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772221776592,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772221776592,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57836,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"*"}}
@@ -50,7 +50,7 @@
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"netbios.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1447772238721634,"flow_dst_last_pkt_time":1447772238721634,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772238721634,"pkt":"\/\/\/\/\/\/\/\/EGBLoLzrCABFAABOP6wAAIAR3OYKAAQOCgAF\/wCJAIkAOtzbuxABEAABAAAAAAAAIEVIRkZGQ0ZGQ0FDQUNBQ0FDQUNBQ0FDQUNBQ0FDQUFBAAAgAAE="}
 00875{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":132,"source":"netbios.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772238721634,"flow_src_last_pkt_time":1447772238721634,"flow_dst_last_pkt_time":1447772238721634,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772238721634,"l3_proto":"ip4","src_ip":"10.0.4.14","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"guru"}}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"netbios.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1447772239929129,"flow_dst_last_pkt_time":1447772221882535,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772239929129,"pkt":"\/\/\/\/\/\/\/\/AOCBdSQGCABFAABOZPwAAIARtz8KAARlCgAF\/wCJAIkAOvRglzYBEAABAAAAAAAAIEVPRkdGQ0RKQ0FDQUNBQ0FDQUNBQ0FDQUNBQ0FDQUFBAAAgAAE="}
-01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":144,"source":"netbios.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772211392771,"flow_src_last_pkt_time":1447772242251393,"flow_dst_last_pkt_time":1447772211392771,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772242251393,"l3_proto":"ip4","src_ip":"10.0.5.233","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":749128,"avg":995439.4,"max":1515990,"stddev":356068.3,"var":126784610304.0,"ent":4.9,"data": [749395,750108,1510862,749350,750084,1512101,749146,750073,1513657,749593,750165,1509201,749922,750117,1511084,749128,750100,1515990,749246,750060,1507974,749281,750095,1513465,749807,750021,1513052,749194,750091,1506879,749381,0]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":144,"source":"netbios.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772211392771,"flow_src_last_pkt_time":1447772242251393,"flow_dst_last_pkt_time":1447772211392771,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772242251393,"l3_proto":"ip4","src_ip":"10.0.5.233","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":749128,"avg":995439.4,"max":1515990,"stddev":356068.3,"var":126784610304.0,"ent":4.9,"data": [749395,750108,1510862,749350,750084,1512101,749146,750073,1513657,749593,750165,1509201,749922,750117,1511084,749128,750100,1515990,749246,750060,1507974,749281,750095,1513465,749807,750021,1513052,749194,750091,1506879,749381]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":173,"source":"netbios.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1447772248480903,"flow_dst_last_pkt_time":1447772238479218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772248480903,"pkt":"ABzEEHkPAOCBt8asCABFAABORZkAAIAR1wUKAAXpCgAEGACJAIkAOgf2mjgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="}
 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"netbios.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772251795162,"flow_src_last_pkt_time":1447772251795162,"flow_dst_last_pkt_time":1447772251795162,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772251795162,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57921,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"netbios.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1447772251795162,"flow_dst_last_pkt_time":1447772251795162,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772251795162,"pkt":"ABzEEHkPACFislxDCABFAABOJRwAAH8R\/RQKAAFXCgAEGOJBAIkAOqRfIKgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="}
@@ -84,10 +84,10 @@
 ~~ total active/idle flows...: 15/15
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6067773 bytes
-~~ total memory freed........: 6067773 bytes
+~~ total memory allocated....: 6067713 bytes
+~~ total memory freed........: 6067713 bytes
 ~~ total allocations/frees...: 121879/121879
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1752 chars
-~~ json string avg len.......: 1121 chars
+~~ json string max len.......: 1750 chars
+~~ json string avg len.......: 1120 chars
diff --git a/test/results/netbios_wildcard_dns_query.pcap.out b/test/results/netbios_wildcard_dns_query.pcap.out
index 4463c6e45..b9eaa286c 100644
--- a/test/results/netbios_wildcard_dns_query.pcap.out
+++ b/test/results/netbios_wildcard_dns_query.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 511 chars
diff --git a/test/results/netflix.pcap.out b/test/results/netflix.pcap.out
index ce197037e..70efcdb55 100644
--- a/test/results/netflix.pcap.out
+++ b/test/results/netflix.pcap.out
@@ -48,8 +48,8 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1484319033259678,"flow_dst_last_pkt_time":1484319033258390,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319033259678,"pkt":"gCqoTGHM5JjWH70UCABFAAA0m4FAAEAG5U7AqAEHNCDEJM99AbszkZRh0pqER4AQEBVneAAAAQEICh9kuYW2m8Wo"}
 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319033206431,"flow_src_last_pkt_time":1484319033261891,"flow_dst_last_pkt_time":1484319033258390,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319033261891,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":103,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319033206431,"flow_src_last_pkt_time":1484319033261891,"flow_dst_last_pkt_time":1484319033312558,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319033312558,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
-01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319032888907,"flow_src_last_pkt_time":1484319033506287,"flow_dst_last_pkt_time":1484319033504279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":5139,"midstream":0,"thread_ts_usec":1484319033506287,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":39766.2,"max":363670,"stddev":81851.3,"var":6699630080.0,"ent":3.2,"data": [46025,48575,597,54003,1611,989,54938,11050,13463,9437,301,377,58747,4648,50832,1878,237,59545,562,62143,8477,4734,310931,590,363670,5842,131,72,58058,152,137,0]},"pktlen": {"min":66,"avg":279.2,"max":1514,"stddev":396.8,"var":157454.8,"ent":4.0,"data": [78,74,66,274,66,1514,1514,66,229,66,141,72,111,66,117,66,422,376,66,1006,66,126,66,422,375,66,1006,121,100,66,66,66]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
-01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":191,"avg":34820.4,"max":199917,"stddev":47580.3,"var":2263883008.0,"ent":3.8,"data": [45497,51828,277,66352,510,13769,75518,25611,26489,15622,271,195,60990,421,44123,5113,191,57731,67780,234,2712,130987,13830,8367,10032,8058,2353,2270,141147,1238,199917,0]},"pktlen": {"min":66,"avg":444.8,"max":1514,"stddev":557.4,"var":310647.7,"ent":4.0,"data": [78,74,66,298,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,742,66,1514,429,1514,66,1130,66,275,66,115,66,1450,581,66]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0],"s_to_c": [5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1]}}
+01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319032888907,"flow_src_last_pkt_time":1484319033506287,"flow_dst_last_pkt_time":1484319033504279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":5139,"midstream":0,"thread_ts_usec":1484319033506287,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":39766.2,"max":363670,"stddev":81851.3,"var":6699630080.0,"ent":3.2,"data": [46025,48575,597,54003,1611,989,54938,11050,13463,9437,301,377,58747,4648,50832,1878,237,59545,562,62143,8477,4734,310931,590,363670,5842,131,72,58058,152,137]},"pktlen": {"min":66,"avg":279.2,"max":1514,"stddev":396.8,"var":157454.8,"ent":4.0,"data": [78,74,66,274,66,1514,1514,66,229,66,141,72,111,66,117,66,422,376,66,1006,66,126,66,422,375,66,1006,121,100,66,66,66]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
+01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":191,"avg":34820.4,"max":199917,"stddev":47580.3,"var":2263883008.0,"ent":3.8,"data": [45497,51828,277,66352,510,13769,75518,25611,26489,15622,271,195,60990,421,44123,5113,191,57731,67780,234,2712,130987,13830,8367,10032,8058,2353,2270,141147,1238,199917]},"pktlen": {"min":66,"avg":444.8,"max":1514,"stddev":557.4,"var":310647.7,"ent":4.0,"data": [78,74,66,298,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,742,66,1514,429,1514,66,1130,66,275,66,115,66,1450,581,66]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0],"s_to_c": [5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1]}}
 01612{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":143,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319033631945,"flow_dst_last_pkt_time":1484319033631945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319033631945,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":143,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1484319033631945,"flow_dst_last_pkt_time":1484319033631945,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319033631945,"pkt":"gCqoTGHM5JjWH70UCABFAABAVMpAAEAGIQjAqAEHNkXM8c9+AbvPvqpAAAAAALAC\/\/9MiwAAAgQFtAEDAwUBAQgKH2S67gAAAAAEAgAA"}
@@ -97,7 +97,7 @@
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":268,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035399304,"flow_dst_last_pkt_time":1484319035397916,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319035399304,"pkt":"gCqoTGHM5JjWH70UCABFAAA0+2BAAEAGIdDAqAEHNFkni8+OAbvRf5R+2AMl5IAQEBW8GgAAAQEICh9kwZ2tiMk\/"}
 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":269,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035397916,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319035401110,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":279,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035449894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319035449894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
-01592{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":41275.9,"max":350146,"stddev":77246.2,"var":5966969856.0,"ent":3.5,"data": [50833,52103,3892,68860,549,14675,80527,16948,16635,16128,355,222,66675,773,50716,3176,284,61420,291182,143,350146,11846,12750,24110,12460,12309,13854,13662,2679,13302,16338,0]},"pktlen": {"min":66,"avg":544.2,"max":1514,"stddev":630.5,"var":397553.6,"ent":4.1,"data": [78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,686,66,1514,1514,66,1514,1416,66,1514,66,251,66,1514,1033,66]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0]}}
+01590{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":41275.9,"max":350146,"stddev":77246.2,"var":5966969856.0,"ent":3.5,"data": [50833,52103,3892,68860,549,14675,80527,16948,16635,16128,355,222,66675,773,50716,3176,284,61420,291182,143,350146,11846,12750,24110,12460,12309,13854,13662,2679,13302,16338]},"pktlen": {"min":66,"avg":544.2,"max":1514,"stddev":630.5,"var":397553.6,"ent":4.1,"data": [78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,686,66,1514,1514,66,1514,1416,66,1514,66,251,66,1514,1033,66]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0]}}
 01692{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}}
 00665{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":321,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035889509,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":164,"pkt_l4_len":130,"thread_ts_usec":1484319035889509,"pkt":"AQBef\/\/65JjWH70UCABFAACW0KMAAAERNwrAqAEH7\/\/\/+tIQB2wAggqVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjptZHgtbmV0ZmxpeC1jb206c2VydmljZTp0YXJnZXQ6MA0KDQo="}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":323,"source":"netflix.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319036827113,"flow_src_last_pkt_time":1484319036827113,"flow_dst_last_pkt_time":1484319036827113,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036827113,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57719,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -112,8 +112,8 @@
 01088{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":328,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036870445,"flow_dst_last_pkt_time":1484319036865722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036870445,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":330,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036870445,"flow_dst_last_pkt_time":1484319036889708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1484319036889708,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01578{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036894463,"flow_dst_last_pkt_time":1484319036900382,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":3414,"midstream":0,"thread_ts_usec":1484319036900382,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","server_names":"secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26"}}}
-01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":356,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036983563,"flow_dst_last_pkt_time":1484319036982334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1128,"flow_dst_tot_l4_payload_len":5359,"midstream":0,"thread_ts_usec":1484319036983563,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":8297.1,"max":40245,"stddev":10476.7,"var":109761248.0,"ent":3.9,"data": [11378,14427,1674,21129,2857,316,24018,10358,7406,16914,385,833,30795,4734,18083,26013,249,318,147,231,142,435,4518,193,40245,7107,5353,4161,461,364,1965,0]},"pktlen": {"min":66,"avg":269.3,"max":1514,"stddev":414.2,"var":171525.6,"ent":4.0,"data": [78,74,66,293,66,1514,1514,66,584,66,141,72,111,66,117,66,119,116,108,214,155,155,155,155,154,134,66,104,104,406,1514,66]},"bins": {"c_to_s": [8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
-01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":147,"avg":501615.3,"max":7507819,"stddev":1826252.6,"var":3335198867456.0,"ent":1.4,"data": [49499,50871,4368,54319,2439,996,53513,42973,42827,12725,273,205,57417,5098,49336,4198,388,49955,75766,32147,2030,911,5107,4712,147,7402221,150,7507819,929,35745,990,0]},"pktlen": {"min":66,"avg":372.8,"max":1514,"stddev":520.7,"var":271128.8,"ent":3.9,"data": [78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,675,66,66,198,110,100,66,66,66,1514,803,66,66,1514,488]},"bins": {"c_to_s": [10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1]}}
+01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":356,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036983563,"flow_dst_last_pkt_time":1484319036982334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1128,"flow_dst_tot_l4_payload_len":5359,"midstream":0,"thread_ts_usec":1484319036983563,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":8297.1,"max":40245,"stddev":10476.7,"var":109761248.0,"ent":3.9,"data": [11378,14427,1674,21129,2857,316,24018,10358,7406,16914,385,833,30795,4734,18083,26013,249,318,147,231,142,435,4518,193,40245,7107,5353,4161,461,364,1965]},"pktlen": {"min":66,"avg":269.3,"max":1514,"stddev":414.2,"var":171525.6,"ent":4.0,"data": [78,74,66,293,66,1514,1514,66,584,66,141,72,111,66,117,66,119,116,108,214,155,155,155,155,154,134,66,104,104,406,1514,66]},"bins": {"c_to_s": [8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
+01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":147,"avg":501615.3,"max":7507819,"stddev":1826252.6,"var":3335198867456.0,"ent":1.4,"data": [49499,50871,4368,54319,2439,996,53513,42973,42827,12725,273,205,57417,5098,49336,4198,388,49955,75766,32147,2030,911,5107,4712,147,7402221,150,7507819,929,35745,990]},"pktlen": {"min":66,"avg":372.8,"max":1514,"stddev":520.7,"var":271128.8,"ent":3.9,"data": [78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,675,66,66,198,110,100,66,66,66,1514,803,66,66,1514,488]},"bins": {"c_to_s": [10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1]}}
 01691{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319042988806,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319042988806,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1484319042988806,"pkt":"gCqoTGHM5JjWH70UCABFAABGkh4AAP8Rpi\/AqAEHwKgBAecsADUAMtLh8roBAAABAAAAAAAAB2FydHdvcmsEYWthbQduZmx4aW1nA25ldAAAAQAB"}
@@ -135,7 +135,7 @@
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1484319043665565,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319043688511,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADwG+Lm4GcwZwKgBBwBQz57u7DQucjxhCKAScSCMigAAAgQFtAQCCAr\/\/D2rH2ThCQEDAwU="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":670,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1484319043689999,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319043689999,"pkt":"gCqoTGHM5JjWH70UCABFAAA0VAZAAEAGoNvAqAEHuBnMGc+eAFByPGEI7uw0L4AQEBUcSAAAAQEICh9k4SH\/\/D2r"}
 01071{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":671,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319043665565,"flow_src_last_pkt_time":1484319043691581,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319043691581,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53150,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-2.nflximg.net","http": {"url":"art-2.nflximg.net\/87b33\/bed1223a0040fdc97bac4e906332e462c6e87b33.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}}
-01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1484319043013015,"flow_src_last_pkt_time":1484319044532732,"flow_dst_last_pkt_time":1484319044504314,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":33304,"midstream":0,"thread_ts_usec":1484319044532732,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53149,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6882,"avg":97129.5,"max":1300093,"stddev":229777.6,"var":52797755392.0,"ent":3.4,"data": [22705,29125,36813,70338,13255,32378,25989,101810,6882,28009,25233,44994,56409,27146,27165,53793,54320,26078,52109,80662,53766,398536,54325,39942,109640,40469,26128,51507,108074,13323,1300093,0]},"pktlen": {"min":66,"avg":1115.9,"max":1514,"stddev":637.7,"var":406609.6,"ent":4.7,"data": [78,74,66,311,66,1514,1514,1514,66,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,94]},"bins": {"c_to_s": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1484319043013015,"flow_src_last_pkt_time":1484319044532732,"flow_dst_last_pkt_time":1484319044504314,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":33304,"midstream":0,"thread_ts_usec":1484319044532732,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53149,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6882,"avg":97129.5,"max":1300093,"stddev":229777.6,"var":52797755392.0,"ent":3.4,"data": [22705,29125,36813,70338,13255,32378,25989,101810,6882,28009,25233,44994,56409,27146,27165,53793,54320,26078,52109,80662,53766,398536,54325,39942,109640,40469,26128,51507,108074,13323,1300093]},"pktlen": {"min":66,"avg":1115.9,"max":1514,"stddev":637.7,"var":406609.6,"ent":4.7,"data": [78,74,66,311,66,1514,1514,1514,66,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,94]},"bins": {"c_to_s": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":703,"source":"netflix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1484319044993872,"flow_dst_last_pkt_time":1484319030789585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1484319044993872,"pkt":"gCqoTGHM5JjWH70UCABFAAAoz5tAAEAGHmfAqAEHNBhXBs7BAbvkIOdlTYzTZlAUEACWDAAAAAAAAAAA"}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":795,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319048757894,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048757894,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319048757894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":58102,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":795,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048757894,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1484319048757894,"pkt":"gCqoTGHM5JjWH70UCABFAABBS2MAAP8R7O\/AqAEHwKgBAeL2ADUALZ5c\/mQBAAABAAAAAAAAB2FwcGJvb3QHbmV0ZmxpeANjb20AAAEAAQ=="}
@@ -147,7 +147,7 @@
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":798,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1484319048780859,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319048824981,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGmJ82yb+EwKgBBwBQz59tgW\/FOnvHe6ASRep1DwAAAgQFtAQCCApXXrqDH2T0hAEDAwg="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":799,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1484319048826457,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319048826457,"pkt":"gCqoTGHM5JjWH70UCABFAAA0VQxAAEAGLbvAqAEHNsm\/hM+fAFA6e8d7bYFvxoAQEBXZhAAAAQEICh9k9LFXXrqD"}
 01105{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":800,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319048830359,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319048830359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"appboot.netflix.com","http": {"url":"appboot.netflix.com\/appboot\/NFAPPL-02-","code":0,"content_type":"","user_agent":"Argo\/900 CFNetwork\/808.2.16 Darwin\/16.3.0","request_content_type":"application\/x-www-form-urlencoded"}}}
-01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":839,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319049236027,"flow_dst_last_pkt_time":1484319049229808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2612,"flow_dst_tot_l4_payload_len":21687,"midstream":0,"thread_ts_usec":1484319049236027,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":29165.1,"max":187154,"stddev":42322.7,"var":1791214592.0,"ent":4.0,"data": [44122,45598,3902,10660,193,60003,5736,990,135055,302,187154,5655,5706,13881,14022,13277,14383,27821,13324,13128,9212,13280,22521,13399,39251,13309,13303,13855,13324,13288,124463,0]},"pktlen": {"min":66,"avg":826.3,"max":1514,"stddev":674.9,"var":455511.9,"ent":4.4,"data": [78,74,66,379,1514,917,66,66,66,728,1514,66,1514,66,1514,66,1514,1514,66,1026,66,1514,1307,66,1514,1514,1514,1514,1514,1514,1514,78]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":839,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319049236027,"flow_dst_last_pkt_time":1484319049229808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2612,"flow_dst_tot_l4_payload_len":21687,"midstream":0,"thread_ts_usec":1484319049236027,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":29165.1,"max":187154,"stddev":42322.7,"var":1791214592.0,"ent":4.0,"data": [44122,45598,3902,10660,193,60003,5736,990,135055,302,187154,5655,5706,13881,14022,13277,14383,27821,13324,13128,9212,13280,22521,13399,39251,13309,13303,13855,13324,13288,124463]},"pktlen": {"min":66,"avg":826.3,"max":1514,"stddev":674.9,"var":455511.9,"ent":4.4,"data": [78,74,66,379,1514,917,66,66,66,728,1514,66,1514,66,1514,66,1514,1514,66,1026,66,1514,1307,66,1514,1514,1514,1514,1514,1514,1514,78]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":861,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049465573,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049465573,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049465573,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53152,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":861,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049465573,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319049465573,"pkt":"gCqoTGHM5JjWH70UCABFAABAjtZAAEAGjk7AqAEHNFkni8+gAFCVL\/AiAAAAALAC\/\/+toQAAAgQFtAEDAwUBAQgKH2T3IAAAAAAEAgAA"}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":863,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049510947,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319049510947,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGMwk0WSeLwKgBBwBQz6CC\/YxQlS\/wI6ASRerkyQAAAgQFtAQCCAqtiNcHH2T3IAEDAwg="}
@@ -160,7 +160,7 @@
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049645637,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"thread_ts_usec":1484319049645637,"pkt":"gCqoTGHM5JjWH70UCABFAABCunsAAEARPNfAqAEHwKgBAcx7ADUALmwlX+cBAAABAAAAAAAAA2lvcwRuY2NwB25ldGZsaXgDY29tAAAcAAE="}
 01000{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049645637,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"netflix.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319043012652,"flow_src_last_pkt_time":1484319049640319,"flow_dst_last_pkt_time":1484319049653906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":491,"flow_dst_tot_l4_payload_len":23168,"midstream":0,"thread_ts_usec":1484319049653906,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":590,"avg":428029.7,"max":6030936,"stddev":1231580.9,"var":1516791529472.0,"ent":2.3,"data": [22448,28943,26758,57708,590,13165,40076,31828,42757,26526,25526,50240,53221,30909,25521,54871,53768,27167,52693,79537,53772,544724,1519985,11557,27351,27280,28765,635381,3643850,6030936,1068,0]},"pktlen": {"min":66,"avg":809.6,"max":1514,"stddev":706.6,"var":499284.2,"ent":4.3,"data": [78,74,66,312,66,1514,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,94,94,94,86,78,66,66,311,1514,1514]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"netflix.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319043012652,"flow_src_last_pkt_time":1484319049640319,"flow_dst_last_pkt_time":1484319049653906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":491,"flow_dst_tot_l4_payload_len":23168,"midstream":0,"thread_ts_usec":1484319049653906,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":590,"avg":428029.7,"max":6030936,"stddev":1231580.9,"var":1516791529472.0,"ent":2.3,"data": [22448,28943,26758,57708,590,13165,40076,31828,42757,26526,25526,50240,53221,30909,25521,54871,53768,27167,52693,79537,53772,544724,1519985,11557,27351,27280,28765,635381,3643850,6030936,1068]},"pktlen": {"min":66,"avg":809.6,"max":1514,"stddev":706.6,"var":499284.2,"ent":4.3,"data": [78,74,66,312,66,1514,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,94,94,94,86,78,66,66,311,1514,1514]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":891,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":78,"thread_ts_usec":1484319049665892,"pkt":"5JjWH70UgCqoTGHMCABFAABi4UdAAEAR1erAqAEBwKgBBwA1yhAATkFkBBqBgAABAAIAAAAABGE4MDMEZHNjZwZha2FtYWkDbmV0AAABAAHADAABAAEAAAAMAAS4GcwYwAwAAQABAAAADAAEuBnMKA=="}
 01012{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":891,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049641053,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":70,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1484319049665892,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51728,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a803.dscg.akamai.net","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"184.25.204.24"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":895,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319049672494,"flow_dst_last_pkt_time":1484319049672494,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049672494,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -183,20 +183,20 @@
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":970,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1484319050652467,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319050677236,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmYX9guRwKgBBwBQz6susPTdvF5ArqAS\/\/\/2WQAAAgQFtAEDAwkEAggKRVwbeB9k+44="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":971,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1484319050678757,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319050678757,"pkt":"gCqoTGHM5JjWH70UCABFAAA0kSxAAEAGxGHAqAEHF\/YLkc+rAFC8XkCuLrD03oAQEBUU+gAAAQEICh9k+6dFXBt4"}
 01354{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":972,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319050682551,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319050682551,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.145","http": {"url":"23.246.11.145\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=3930708224","code":0,"content_type":"","user_agent":"netflix-ios-app"}}}
-01894{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1008,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319051912595,"flow_dst_last_pkt_time":1484319051940613,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":28027,"midstream":0,"thread_ts_usec":1484319051940613,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3794,"avg":82202.4,"max":651024,"stddev":153564.6,"var":23582076928.0,"ent":3.6,"data": [24769,26290,3794,42485,4828,43771,27157,40474,69366,43854,44827,78254,38808,79815,102619,28781,14718,354324,85041,14066,12423,12747,651024,22850,582496,8619,27490,16417,16392,14698,15077,0]},"pktlen": {"min":66,"avg":954.8,"max":1514,"stddev":683.5,"var":467159.1,"ent":4.5,"data": [78,74,66,422,581,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,94,1514,1514,1514,1514,78,66,1514,1514,66,1514,66,1514,1514]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01892{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1008,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319051912595,"flow_dst_last_pkt_time":1484319051940613,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":28027,"midstream":0,"thread_ts_usec":1484319051940613,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3794,"avg":82202.4,"max":651024,"stddev":153564.6,"var":23582076928.0,"ent":3.6,"data": [24769,26290,3794,42485,4828,43771,27157,40474,69366,43854,44827,78254,38808,79815,102619,28781,14718,354324,85041,14066,12423,12747,651024,22850,582496,8619,27490,16417,16392,14698,15077]},"pktlen": {"min":66,"avg":954.8,"max":1514,"stddev":683.5,"var":467159.1,"ent":4.5,"data": [78,74,66,422,581,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,94,1514,1514,1514,1514,78,66,1514,1514,66,1514,66,1514,1514]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1027,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052216458,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319052216458,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1027,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052216458,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319052216458,"pkt":"gCqoTGHM5JjWH70UCABFAABAN3hAAEAGHxDAqAEHF\/YKi8+sAFBgdy0VAAAAALAC\/\/\/UZQAAAgQFtAEDAwUBAQgKH2UBeQAAAAAEAgAA"}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1031,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319052235250,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGW2wX9gqLwKgBBwBQz6xlmlqWYHctFqAS\/\/8JBgAAAgQFtAEDAwkEAggKQI7bkB9lAXk="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1032,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":3,"flow_src_last_pkt_time":1484319052237833,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319052237833,"pkt":"gCqoTGHM5JjWH70UCABFAAA0JFZAAEAGMj7AqAEHF\/YKi8+sAFBgdy0WZZpal4AQEBUnrAAAAQEICh9lAYxAjtuQ"}
 01355{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1033,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319052242977,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319052242977,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.10.139","http": {"url":"23.246.10.139\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=3407360776","code":0,"content_type":"","user_agent":"netflix-ios-app"}}}
-01894{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1073,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319053577715,"flow_dst_last_pkt_time":1484319053589492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":25132,"midstream":0,"thread_ts_usec":1484319053589492,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1043,"avg":88202.9,"max":638852,"stddev":151898.7,"var":23073200128.0,"ent":3.7,"data": [18792,21375,5144,35741,1043,5439,35508,13242,13983,20324,20435,13235,116191,170244,28107,56564,51631,31663,27571,12760,327583,131379,638852,579987,19881,15021,30035,13582,42286,118688,118005,0]},"pktlen": {"min":66,"avg":865.9,"max":1514,"stddev":697.4,"var":486427.5,"ent":4.4,"data": [78,74,66,422,582,1514,1514,66,1514,66,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,94,1514,94,1514,86,1514,78,66,1514,66,1514]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01892{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1073,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319053577715,"flow_dst_last_pkt_time":1484319053589492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":25132,"midstream":0,"thread_ts_usec":1484319053589492,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1043,"avg":88202.9,"max":638852,"stddev":151898.7,"var":23073200128.0,"ent":3.7,"data": [18792,21375,5144,35741,1043,5439,35508,13242,13983,20324,20435,13235,116191,170244,28107,56564,51631,31663,27571,12760,327583,131379,638852,579987,19881,15021,30035,13582,42286,118688,118005]},"pktlen": {"min":66,"avg":865.9,"max":1514,"stddev":697.4,"var":486427.5,"ent":4.4,"data": [78,74,66,422,582,1514,1514,66,1514,66,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,94,1514,94,1514,86,1514,78,66,1514,66,1514]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054101585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319054101585,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054101585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319054101585,"pkt":"gCqoTGHM5JjWH70UCABFAABA9bFAAEAGZ9XAqAEHF\/YDjM+zAFBtwXYMAAAAALAC\/\/99\/AAAAgQFtAEDAwUBAQgKH2UImQAAAAAEAgAA"}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1101,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319054132376,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADgGZWsX9gOMwKgBBwBQz7OFwt93bcF2DaAS\/\/\/aJAAAAgQFtAEDAwkEAggKhKDK7B9lCJk="}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1102,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1484319054134077,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319054134077,"pkt":"gCqoTGHM5JjWH70UCABFAAA0mQ1AAEAGxIXAqAEHF\/YDjM+zAFBtwXYNhcLfeIAQEBX4vQAAAQEICh9lCLmEoMrs"}
 01351{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1103,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054139605,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319054139605,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.3.140","http": {"url":"23.246.3.140\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657","code":0,"content_type":"","user_agent":"netflix-ios-app"}}}
-01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054294236,"flow_dst_last_pkt_time":1484319054480080,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":29479,"midstream":0,"thread_ts_usec":1484319054480080,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2187,"avg":18424.1,"max":44333,"stddev":10032.7,"var":100655136.0,"ent":4.7,"data": [30791,32492,5528,44333,2187,41107,2921,12763,15575,14938,14982,12802,12713,26425,12767,11943,13284,17180,31033,13321,13566,25571,14329,13905,26660,13805,13288,27210,13255,13305,27167,0]},"pktlen": {"min":66,"avg":998.9,"max":1514,"stddev":672.7,"var":452466.1,"ent":4.5,"data": [78,74,66,420,585,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01892{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1140,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319054604684,"flow_dst_last_pkt_time":1484319054632485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":216,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":216,"flow_dst_tot_l4_payload_len":17376,"midstream":0,"thread_ts_usec":1484319054632485,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2986,"avg":319102.6,"max":4093620,"stddev":811857.0,"var":659111739392.0,"ent":2.8,"data": [24907,27714,2986,28468,27857,27840,80258,56838,56993,49295,90365,82473,40903,66540,53920,192092,80506,134732,711253,22984,31289,47833,1645394,40376,54849,160828,1864439,25699,40451,28479,4093620,0]},"pktlen": {"min":66,"avg":625.1,"max":1514,"stddev":689.4,"var":475329.8,"ent":4.1,"data": [78,74,66,282,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,94,94,94,94,94,94,94,94,86,78,78,66,1514]},"bins": {"c_to_s": [17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1]},"ndpi": {"flow_risk": {"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054294236,"flow_dst_last_pkt_time":1484319054480080,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":29479,"midstream":0,"thread_ts_usec":1484319054480080,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2187,"avg":18424.1,"max":44333,"stddev":10032.7,"var":100655136.0,"ent":4.7,"data": [30791,32492,5528,44333,2187,41107,2921,12763,15575,14938,14982,12802,12713,26425,12767,11943,13284,17180,31033,13321,13566,25571,14329,13905,26660,13805,13288,27210,13255,13305,27167]},"pktlen": {"min":66,"avg":998.9,"max":1514,"stddev":672.7,"var":452466.1,"ent":4.5,"data": [78,74,66,420,585,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01890{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1140,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319054604684,"flow_dst_last_pkt_time":1484319054632485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":216,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":216,"flow_dst_tot_l4_payload_len":17376,"midstream":0,"thread_ts_usec":1484319054632485,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2986,"avg":319102.6,"max":4093620,"stddev":811857.0,"var":659111739392.0,"ent":2.8,"data": [24907,27714,2986,28468,27857,27840,80258,56838,56993,49295,90365,82473,40903,66540,53920,192092,80506,134732,711253,22984,31289,47833,1645394,40376,54849,160828,1864439,25699,40451,28479,4093620]},"pktlen": {"min":66,"avg":625.1,"max":1514,"stddev":689.4,"var":475329.8,"ent":4.1,"data": [78,74,66,282,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,94,94,94,94,94,94,94,94,86,78,78,66,1514]},"bins": {"c_to_s": [17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1]},"ndpi": {"flow_risk": {"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319056204111,"flow_dst_last_pkt_time":1484319056204111,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056204111,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1484319056204111,"flow_dst_last_pkt_time":1484319056204111,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319056204111,"pkt":"gCqoTGHM5JjWH70UCABFAABAfy9AAEAG1l7AqAEHF\/YLhc+0AFDwxwoWAAAAALAC\/\/9XEAAAAgQFtAEDAwUBAQgKH2UQewAAAAAEAgAA"}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1232,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319056210218,"flow_dst_last_pkt_time":1484319056210218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056210218,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -252,18 +252,18 @@
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1283,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1484319056327623,"flow_dst_last_pkt_time":1484319056326288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319056327623,"pkt":"gCqoTGHM5JjWH70UCABFAAA0Fj1AAEAGP1XAqAEHF\/YLjc++AFBtOQm7PQ6az4AQEBV4RwAAAQEICh9lEOzE7\/UM"}
 01358{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1285,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319056336202,"flow_dst_last_pkt_time":1484319056326114,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056336202,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/range\/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=129454076","code":0,"content_type":"","user_agent":"netflix-ios-app"}}}
 01357{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1286,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319056347066,"flow_dst_last_pkt_time":1484319056326288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056347066,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/range\/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=4209810633","code":0,"content_type":"","user_agent":"netflix-ios-app"}}}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1458,"source":"netflix.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056241489,"flow_src_last_pkt_time":1484319059351882,"flow_dst_last_pkt_time":1484319059371795,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319059371795,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53180,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":394,"avg":201312.9,"max":2097549,"stddev":403399.4,"var":162731114496.0,"ent":3.6,"data": [61813,72267,473,134860,394,125851,1162295,73601,899,212949,11519,409208,101075,1892,70852,2097549,79500,52131,129820,120649,42895,59919,67076,69354,174355,284029,29385,65003,252681,150502,125903,0]},"pktlen": {"min":66,"avg":507.7,"max":1514,"stddev":638.1,"var":407212.3,"ent":3.9,"data": [78,74,66,426,584,1514,66,94,94,94,94,94,94,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,66,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01887{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1536,"source":"netflix.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056233255,"flow_src_last_pkt_time":1484319060551613,"flow_dst_last_pkt_time":1484319060618267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13563,"midstream":0,"thread_ts_usec":1484319060618267,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53177,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":135,"avg":280753.9,"max":1046959,"stddev":300914.6,"var":90549583872.0,"ent":4.2,"data": [43730,45845,23628,124789,4917,111637,635898,176069,176,135,41643,37401,940199,857,45449,434520,483806,1046959,74656,202356,418896,472205,955340,169880,525271,694311,167240,252312,98045,326303,148897,0]},"pktlen": {"min":66,"avg":504.1,"max":1514,"stddev":638.9,"var":408170.9,"ent":3.9,"data": [78,74,66,426,585,1514,66,86,86,78,78,78,66,102,1490,66,66,66,1514,1514,66,66,66,1514,66,66,1514,66,1514,1514,66,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1539,"source":"netflix.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056221799,"flow_src_last_pkt_time":1484319060594060,"flow_dst_last_pkt_time":1484319060664663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319060664663,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53175,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":569,"avg":284358.9,"max":1636184,"stddev":362564.9,"var":131453321216.0,"ent":4.0,"data": [16087,19422,23622,88585,4002,82236,1105315,26930,21843,19608,569,13093,381586,1636184,66410,119030,421421,408128,882662,90167,143374,490378,519431,92259,120978,487097,597701,217631,227512,270000,221864,0]},"pktlen": {"min":66,"avg":550.6,"max":1514,"stddev":657.9,"var":432827.8,"ent":4.0,"data": [78,74,66,423,584,1514,66,86,86,86,78,78,78,78,1514,1514,66,78,66,1514,1514,66,66,1514,1514,66,66,1514,66,1514,78,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01906{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1545,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319060695068,"flow_dst_last_pkt_time":1484319060746254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":20790,"midstream":0,"thread_ts_usec":1484319060746254,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4949,"avg":290996.3,"max":1397235,"stddev":314333.5,"var":98805530624.0,"ent":4.2,"data": [23914,25117,18248,72539,4949,71292,152183,249467,985618,26703,1397235,519076,299466,499851,482346,40528,55620,206768,137068,537495,535230,174291,571825,775969,198842,230534,89909,283953,128056,116304,110490,0]},"pktlen": {"min":66,"avg":730.2,"max":1514,"stddev":699.0,"var":488561.8,"ent":4.2,"data": [78,74,66,423,584,1514,66,1514,66,94,94,1514,86,1514,78,1514,1514,1514,66,1514,66,1514,66,66,1514,66,1514,1514,66,1514,66,1514]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01888{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1562,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319060916913,"flow_dst_last_pkt_time":1484319060915445,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319060916913,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":342,"avg":300105.7,"max":2716440,"stddev":539188.2,"var":290723889152.0,"ent":3.6,"data": [61747,63082,19443,172653,342,153906,1162512,94154,1429,12319,104280,65945,674747,41474,39967,488929,2716440,44869,75746,28743,32797,29468,133613,256105,742961,71312,1131465,569658,135441,73631,104098,0]},"pktlen": {"min":66,"avg":506.6,"max":1514,"stddev":638.8,"var":408052.9,"ent":3.9,"data": [78,74,66,424,584,1514,66,94,86,86,86,86,86,86,78,66,66,1514,1514,66,1514,66,1514,66,1514,78,66,1514,66,1514,1514,66]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1566,"source":"netflix.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056214323,"flow_src_last_pkt_time":1484319060947278,"flow_dst_last_pkt_time":1484319060861747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":12102,"midstream":0,"thread_ts_usec":1484319060947278,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":302592.9,"max":3094333,"stddev":556136.4,"var":309287714816.0,"ent":3.7,"data": [19993,22151,5332,69145,137,72224,626011,606979,26604,520264,51479,55493,593239,41657,80288,418048,3094333,65564,425655,469983,40810,84995,52141,54303,117697,383081,387305,709380,53664,73805,158619,0]},"pktlen": {"min":66,"avg":461.8,"max":1514,"stddev":616.5,"var":380048.7,"ent":3.9,"data": [78,74,66,424,584,1514,66,86,86,86,86,78,78,86,78,66,66,1514,78,78,1514,1514,66,1514,66,1514,66,78,1514,78,1514,66]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1585,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319061168059,"flow_dst_last_pkt_time":1484319060482194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":12101,"midstream":0,"thread_ts_usec":1484319061168059,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":266,"avg":294252.3,"max":2608516,"stddev":529173.0,"var":280024055808.0,"ent":3.5,"data": [61899,63035,8952,155118,266,150147,1152400,92133,498,591361,113696,141666,52293,522,39853,381137,2608516,28241,68204,27169,29555,26620,56459,81742,44814,43749,497350,496550,1208877,807442,91559,0]},"pktlen": {"min":66,"avg":463.2,"max":1514,"stddev":615.6,"var":378913.2,"ent":3.9,"data": [78,74,66,425,583,1514,66,94,94,94,94,86,78,78,78,66,78,1514,1514,66,1514,66,1514,1514,66,1514,66,78,66,1514,86,86]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1592,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319061128980,"flow_dst_last_pkt_time":1484319061270358,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061270358,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":322294.1,"max":3064500,"stddev":576519.8,"var":332375130112.0,"ent":3.6,"data": [11668,15660,2402,60224,1206,79,57126,107813,316921,313910,536684,811161,71198,122498,693690,84709,585634,3064500,52838,57895,98411,231468,526235,115101,671,585669,117652,1178873,25807,79129,64284,0]},"pktlen": {"min":66,"avg":509.0,"max":1514,"stddev":637.2,"var":406023.8,"ent":4.0,"data": [78,74,66,424,584,1514,1514,66,66,1514,66,94,94,94,94,86,78,86,1514,86,1514,78,1514,94,78,66,78,66,1514,66,1514,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01890{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1621,"source":"netflix.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056233602,"flow_src_last_pkt_time":1484319061706774,"flow_dst_last_pkt_time":1484319061794702,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061794702,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53178,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":240,"avg":355944.2,"max":3546297,"stddev":682699.4,"var":466078498816.0,"ent":3.5,"data": [43247,45294,13187,106701,4927,97880,1317695,102059,98186,240,515839,59813,1148424,57207,54890,165165,3546297,68400,92258,155981,131046,69975,95851,103962,104462,205130,729427,91959,551213,1189389,68168,0]},"pktlen": {"min":66,"avg":507.2,"max":1514,"stddev":638.4,"var":407523.4,"ent":3.9,"data": [78,74,66,423,584,1514,66,94,94,86,86,86,86,86,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01889{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":414504.9,"max":4457097,"stddev":811357.3,"var":658300731392.0,"ent":3.6,"data": [41445,43452,2932,82082,72,78739,1252127,77707,132171,828,525346,100674,510044,513013,40289,4457097,87034,1392951,522404,574888,39602,91204,57625,58127,138968,449063,380142,69915,139503,473414,516793,0]},"pktlen": {"min":66,"avg":552.1,"max":1514,"stddev":656.8,"var":431419.8,"ent":4.0,"data": [78,74,66,424,584,1514,66,94,94,86,86,86,86,86,78,78,1514,1514,66,66,1514,1514,66,1514,66,1514,66,1514,1514,66,66,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1725,"source":"netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":682,"avg":435375.1,"max":4431980,"stddev":814478.7,"var":663375511552.0,"ent":3.6,"data": [43856,45826,13429,88623,4898,81946,1250769,92472,118428,682,544165,69196,495457,501654,62886,1143862,28583,39116,4431980,82976,87813,169881,586445,795488,292945,509017,501170,1203523,55860,83014,70669,0]},"pktlen": {"min":66,"avg":418.2,"max":1514,"stddev":589.2,"var":347103.4,"ent":3.8,"data": [78,74,66,424,583,1514,66,94,94,86,86,86,86,86,78,78,78,78,78,1514,66,1514,78,66,1514,78,66,66,1514,1514,66,1514]},"bins": {"c_to_s": [22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01588{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":136,"avg":1958267.8,"max":30086001,"stddev":7379834.5,"var":54461959503872.0,"ent":1.1,"data": [47011,48359,1676,53080,2562,989,62283,11050,5991,10798,261,350,60341,3416,50128,4429,893,563,55944,50485,306,42722,3984,5077,5232,136,57719,311,30033380,30086001,822,0]},"pktlen": {"min":66,"avg":394.0,"max":1514,"stddev":556.9,"var":310128.2,"ent":3.9,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,351,66,66,66,1007,126,66,66,66,97,66]},"bins": {"c_to_s": [9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1]}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1458,"source":"netflix.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056241489,"flow_src_last_pkt_time":1484319059351882,"flow_dst_last_pkt_time":1484319059371795,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319059371795,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53180,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":394,"avg":201312.9,"max":2097549,"stddev":403399.4,"var":162731114496.0,"ent":3.6,"data": [61813,72267,473,134860,394,125851,1162295,73601,899,212949,11519,409208,101075,1892,70852,2097549,79500,52131,129820,120649,42895,59919,67076,69354,174355,284029,29385,65003,252681,150502,125903]},"pktlen": {"min":66,"avg":507.7,"max":1514,"stddev":638.1,"var":407212.3,"ent":3.9,"data": [78,74,66,426,584,1514,66,94,94,94,94,94,94,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,66,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1536,"source":"netflix.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056233255,"flow_src_last_pkt_time":1484319060551613,"flow_dst_last_pkt_time":1484319060618267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13563,"midstream":0,"thread_ts_usec":1484319060618267,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53177,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":135,"avg":280753.9,"max":1046959,"stddev":300914.6,"var":90549583872.0,"ent":4.2,"data": [43730,45845,23628,124789,4917,111637,635898,176069,176,135,41643,37401,940199,857,45449,434520,483806,1046959,74656,202356,418896,472205,955340,169880,525271,694311,167240,252312,98045,326303,148897]},"pktlen": {"min":66,"avg":504.1,"max":1514,"stddev":638.9,"var":408170.9,"ent":3.9,"data": [78,74,66,426,585,1514,66,86,86,78,78,78,66,102,1490,66,66,66,1514,1514,66,66,66,1514,66,66,1514,66,1514,1514,66,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01891{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1539,"source":"netflix.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056221799,"flow_src_last_pkt_time":1484319060594060,"flow_dst_last_pkt_time":1484319060664663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319060664663,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53175,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":569,"avg":284358.9,"max":1636184,"stddev":362564.9,"var":131453321216.0,"ent":4.0,"data": [16087,19422,23622,88585,4002,82236,1105315,26930,21843,19608,569,13093,381586,1636184,66410,119030,421421,408128,882662,90167,143374,490378,519431,92259,120978,487097,597701,217631,227512,270000,221864]},"pktlen": {"min":66,"avg":550.6,"max":1514,"stddev":657.9,"var":432827.8,"ent":4.0,"data": [78,74,66,423,584,1514,66,86,86,86,78,78,78,78,1514,1514,66,78,66,1514,1514,66,66,1514,1514,66,66,1514,66,1514,78,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01904{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1545,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319060695068,"flow_dst_last_pkt_time":1484319060746254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":20790,"midstream":0,"thread_ts_usec":1484319060746254,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4949,"avg":290996.3,"max":1397235,"stddev":314333.5,"var":98805530624.0,"ent":4.2,"data": [23914,25117,18248,72539,4949,71292,152183,249467,985618,26703,1397235,519076,299466,499851,482346,40528,55620,206768,137068,537495,535230,174291,571825,775969,198842,230534,89909,283953,128056,116304,110490]},"pktlen": {"min":66,"avg":730.2,"max":1514,"stddev":699.0,"var":488561.8,"ent":4.2,"data": [78,74,66,423,584,1514,66,1514,66,94,94,1514,86,1514,78,1514,1514,1514,66,1514,66,1514,66,66,1514,66,1514,1514,66,1514,66,1514]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1562,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319060916913,"flow_dst_last_pkt_time":1484319060915445,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319060916913,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":342,"avg":300105.7,"max":2716440,"stddev":539188.2,"var":290723889152.0,"ent":3.6,"data": [61747,63082,19443,172653,342,153906,1162512,94154,1429,12319,104280,65945,674747,41474,39967,488929,2716440,44869,75746,28743,32797,29468,133613,256105,742961,71312,1131465,569658,135441,73631,104098]},"pktlen": {"min":66,"avg":506.6,"max":1514,"stddev":638.8,"var":408052.9,"ent":3.9,"data": [78,74,66,424,584,1514,66,94,86,86,86,86,86,86,78,66,66,1514,1514,66,1514,66,1514,66,1514,78,66,1514,66,1514,1514,66]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1566,"source":"netflix.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056214323,"flow_src_last_pkt_time":1484319060947278,"flow_dst_last_pkt_time":1484319060861747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":12102,"midstream":0,"thread_ts_usec":1484319060947278,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":302592.9,"max":3094333,"stddev":556136.4,"var":309287714816.0,"ent":3.7,"data": [19993,22151,5332,69145,137,72224,626011,606979,26604,520264,51479,55493,593239,41657,80288,418048,3094333,65564,425655,469983,40810,84995,52141,54303,117697,383081,387305,709380,53664,73805,158619]},"pktlen": {"min":66,"avg":461.8,"max":1514,"stddev":616.5,"var":380048.7,"ent":3.9,"data": [78,74,66,424,584,1514,66,86,86,86,86,78,78,86,78,66,66,1514,78,78,1514,1514,66,1514,66,1514,66,78,1514,78,1514,66]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1585,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319061168059,"flow_dst_last_pkt_time":1484319060482194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":12101,"midstream":0,"thread_ts_usec":1484319061168059,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":266,"avg":294252.3,"max":2608516,"stddev":529173.0,"var":280024055808.0,"ent":3.5,"data": [61899,63035,8952,155118,266,150147,1152400,92133,498,591361,113696,141666,52293,522,39853,381137,2608516,28241,68204,27169,29555,26620,56459,81742,44814,43749,497350,496550,1208877,807442,91559]},"pktlen": {"min":66,"avg":463.2,"max":1514,"stddev":615.6,"var":378913.2,"ent":3.9,"data": [78,74,66,425,583,1514,66,94,94,94,94,86,78,78,78,66,78,1514,1514,66,1514,66,1514,1514,66,1514,66,78,66,1514,86,86]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1592,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319061128980,"flow_dst_last_pkt_time":1484319061270358,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061270358,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":322294.1,"max":3064500,"stddev":576519.8,"var":332375130112.0,"ent":3.6,"data": [11668,15660,2402,60224,1206,79,57126,107813,316921,313910,536684,811161,71198,122498,693690,84709,585634,3064500,52838,57895,98411,231468,526235,115101,671,585669,117652,1178873,25807,79129,64284]},"pktlen": {"min":66,"avg":509.0,"max":1514,"stddev":637.2,"var":406023.8,"ent":4.0,"data": [78,74,66,424,584,1514,1514,66,66,1514,66,94,94,94,94,86,78,86,1514,86,1514,78,1514,94,78,66,78,66,1514,66,1514,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01888{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1621,"source":"netflix.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056233602,"flow_src_last_pkt_time":1484319061706774,"flow_dst_last_pkt_time":1484319061794702,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061794702,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53178,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":240,"avg":355944.2,"max":3546297,"stddev":682699.4,"var":466078498816.0,"ent":3.5,"data": [43247,45294,13187,106701,4927,97880,1317695,102059,98186,240,515839,59813,1148424,57207,54890,165165,3546297,68400,92258,155981,131046,69975,95851,103962,104462,205130,729427,91959,551213,1189389,68168]},"pktlen": {"min":66,"avg":507.2,"max":1514,"stddev":638.4,"var":407523.4,"ent":3.9,"data": [78,74,66,423,584,1514,66,94,94,86,86,86,86,86,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01887{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":414504.9,"max":4457097,"stddev":811357.3,"var":658300731392.0,"ent":3.6,"data": [41445,43452,2932,82082,72,78739,1252127,77707,132171,828,525346,100674,510044,513013,40289,4457097,87034,1392951,522404,574888,39602,91204,57625,58127,138968,449063,380142,69915,139503,473414,516793]},"pktlen": {"min":66,"avg":552.1,"max":1514,"stddev":656.8,"var":431419.8,"ent":4.0,"data": [78,74,66,424,584,1514,66,94,94,86,86,86,86,86,78,78,1514,1514,66,66,1514,1514,66,1514,66,1514,66,1514,1514,66,66,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1725,"source":"netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":682,"avg":435375.1,"max":4431980,"stddev":814478.7,"var":663375511552.0,"ent":3.6,"data": [43856,45826,13429,88623,4898,81946,1250769,92472,118428,682,544165,69196,495457,501654,62886,1143862,28583,39116,4431980,82976,87813,169881,586445,795488,292945,509017,501170,1203523,55860,83014,70669]},"pktlen": {"min":66,"avg":418.2,"max":1514,"stddev":589.2,"var":347103.4,"ent":3.8,"data": [78,74,66,424,583,1514,66,94,94,86,86,86,86,86,78,78,78,78,78,1514,66,1514,78,66,1514,78,66,66,1514,1514,66,1514]},"bins": {"c_to_s": [22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":136,"avg":1958267.8,"max":30086001,"stddev":7379834.5,"var":54461959503872.0,"ent":1.1,"data": [47011,48359,1676,53080,2562,989,62283,11050,5991,10798,261,350,60341,3416,50128,4429,893,563,55944,50485,306,42722,3984,5077,5232,136,57719,311,30033380,30086001,822]},"pktlen": {"min":66,"avg":394.0,"max":1514,"stddev":556.9,"var":310128.2,"ent":3.9,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,351,66,66,66,1007,126,66,66,66,97,66]},"bins": {"c_to_s": [9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1]}}
 01584{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1907,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064590230,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1907,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064590230,"pkt":"gCqoTGHM5JjWH70UCABFAABAVptAAEAGBuzAqAEHF\/YDjM+\/AFBrAzOSAAAAALAC\/\/+cMAAAAgQFtAEDAwUBAQgKH2UvkQAAAAAEAgAA"}
@@ -286,7 +286,7 @@
 01020{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1930,"source":"netflix.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319064683828,"flow_src_last_pkt_time":1484319064683828,"flow_dst_last_pkt_time":1484319064699948,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":41,"flow_dst_max_l4_payload_len":206,"flow_src_tot_l4_payload_len":41,"flow_dst_tot_l4_payload_len":206,"midstream":0,"thread_ts_usec":1484319064699948,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":60962,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.geo.netflix.com","dns": {"num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.37.36.252"}}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1935,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064711690,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1935,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064711690,"pkt":"gCqoTGHM5JjWH70UCABFAABAfOpAAEAGov3AqAEHNCUk\/M\/TAbvE99WSAAAAALAC\/\/9grAAAAgQFtAEDAwUBAQgKH2UwAgAAAAAEAgAA"}
-01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":1003326.9,"max":30431499,"stddev":5372888.5,"var":28867930619904.0,"ent":0.2,"data": [44924,46321,7446,58250,1844,979,55802,12140,9904,9342,287,206,60460,132,50780,11459,460,157,72134,60865,339,50757,444,15673,16944,136,74,82928,303,146,30431499,0]},"pktlen": {"min":66,"avg":393.5,"max":1514,"stddev":557.0,"var":310204.4,"ent":3.9,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,336,66,66,66,1007,121,100,66,66,66,66]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0]}}
+01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":1003326.9,"max":30431499,"stddev":5372888.5,"var":28867930619904.0,"ent":0.2,"data": [44924,46321,7446,58250,1844,979,55802,12140,9904,9342,287,206,60460,132,50780,11459,460,157,72134,60865,339,50757,444,15673,16944,136,74,82928,303,146,30431499]},"pktlen": {"min":66,"avg":393.5,"max":1514,"stddev":557.0,"var":310204.4,"ent":3.9,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,336,66,66,66,1007,121,100,66,66,66,66]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0]}}
 01585{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1937,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064671268,"flow_dst_last_pkt_time":1484319064722112,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722112,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGRvs2vxEzwKgBBwG7z9JcNkhzU8YNlaASOJDYrwAAAgQFtAQCCAqtilitH2Uv3gEDAwg="}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1938,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064669455,"flow_dst_last_pkt_time":1484319064722814,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722814,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACkGR\/s2vxEzwKgBBwG7z8mqa43KKbVWHqASOJAmtQAAAgQFtAQCCAqtilitH2Uv3QEDAwg="}
@@ -303,20 +303,20 @@
 01150{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1968,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064885811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1484319064885811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01569{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319064729673,"flow_dst_last_pkt_time":1484319064898548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2528,"midstream":0,"thread_ts_usec":1484319064898548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}}
 01580{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1977,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064950196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":2896,"midstream":0,"thread_ts_usec":1484319064950196,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}}
-01598{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":47531.9,"max":266118,"stddev":57373.9,"var":3291763968.0,"ent":4.0,"data": [53359,54641,4455,73724,451,53617,123531,11602,72543,62717,1529,55777,52363,2209,208,426,218,96299,96364,227,131,105,82592,81689,880,205,155,38176,40581,146597,266118,0]},"pktlen": {"min":66,"avg":879.4,"max":1514,"stddev":680.5,"var":463015.4,"ent":4.4,"data": [78,74,66,583,66,1514,1146,66,192,117,66,1058,120,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,86]},"bins": {"c_to_s": [5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0],"s_to_c": [5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1]}}
+01596{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":47531.9,"max":266118,"stddev":57373.9,"var":3291763968.0,"ent":4.0,"data": [53359,54641,4455,73724,451,53617,123531,11602,72543,62717,1529,55777,52363,2209,208,426,218,96299,96364,227,131,105,82592,81689,880,205,155,38176,40581,146597,266118]},"pktlen": {"min":66,"avg":879.4,"max":1514,"stddev":680.5,"var":463015.4,"ent":4.4,"data": [78,74,66,583,66,1514,1146,66,192,117,66,1058,120,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,86]},"bins": {"c_to_s": [5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0],"s_to_c": [5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1]}}
 01573{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}}
-01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":182,"avg":52521.9,"max":282465,"stddev":58168.2,"var":3383536896.0,"ent":4.2,"data": [50844,52144,6261,61059,40719,74658,170395,11813,79420,67625,2032,57431,55801,1745,844,219,182,82546,79700,249,94600,127478,60574,282465,10583,27617,37968,39882,42871,7730,723,0]},"pktlen": {"min":66,"avg":566.5,"max":1514,"stddev":629.7,"var":396553.7,"ent":4.1,"data": [78,74,66,583,66,1514,1146,66,192,117,66,1057,120,66,1514,1514,1514,1514,66,1514,401,66,66,1257,66,1514,1500,66,115,66,97,66]},"bins": {"c_to_s": [10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0]}}
+01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":182,"avg":52521.9,"max":282465,"stddev":58168.2,"var":3383536896.0,"ent":4.2,"data": [50844,52144,6261,61059,40719,74658,170395,11813,79420,67625,2032,57431,55801,1745,844,219,182,82546,79700,249,94600,127478,60574,282465,10583,27617,37968,39882,42871,7730,723]},"pktlen": {"min":66,"avg":566.5,"max":1514,"stddev":629.7,"var":396553.7,"ent":4.1,"data": [78,74,66,583,66,1514,1146,66,192,117,66,1057,120,66,1514,1514,1514,1514,66,1514,401,66,66,1257,66,1514,1500,66,115,66,97,66]},"bins": {"c_to_s": [10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0]}}
 01573{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}}
-01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":59431.0,"max":332646,"stddev":83335.9,"var":6944879104.0,"ent":3.8,"data": [69450,70962,2650,55568,49103,64385,167918,331939,332646,26549,653,732,87677,534,60709,8817,7117,449,81078,62803,767,160,105,68135,67101,803,163,105,111161,109572,2549,0]},"pktlen": {"min":66,"avg":760.1,"max":1514,"stddev":703.8,"var":495333.0,"ent":4.3,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1417,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514]},"bins": {"c_to_s": [6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0],"s_to_c": [6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0]}}
+01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":59431.0,"max":332646,"stddev":83335.9,"var":6944879104.0,"ent":3.8,"data": [69450,70962,2650,55568,49103,64385,167918,331939,332646,26549,653,732,87677,534,60709,8817,7117,449,81078,62803,767,160,105,68135,67101,803,163,105,111161,109572,2549]},"pktlen": {"min":66,"avg":760.1,"max":1514,"stddev":703.8,"var":495333.0,"ent":4.3,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1417,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514]},"bins": {"c_to_s": [6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0],"s_to_c": [6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0]}}
 01585{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}}
-01887{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2131,"source":"netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319066015206,"flow_dst_last_pkt_time":1484319066064571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":19133,"midstream":0,"thread_ts_usec":1484319066064571,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2593,"avg":93284.4,"max":471964,"stddev":119313.2,"var":14235634688.0,"ent":4.1,"data": [26070,27491,2593,46530,5363,49411,29634,29502,8466,38422,5397,39840,38400,39693,140326,138333,356578,206910,471964,29274,417442,40849,81521,44012,43364,83015,187750,28619,25160,184386,25502,0]},"pktlen": {"min":66,"avg":698.8,"max":1514,"stddev":659.1,"var":434476.8,"ent":4.3,"data": [78,74,66,575,635,1514,66,677,66,581,643,1514,66,1514,66,1514,1514,94,1514,78,66,1514,1514,66,1514,66,1514,86,78,66,1514,1514]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2195,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5292,"avg":101928.1,"max":730898,"stddev":155663.8,"var":24231225344.0,"ent":4.0,"data": [30477,31515,13216,64005,5292,56409,6142,68156,5406,71534,109518,202677,164827,560321,47319,78954,279545,27696,94465,26601,26144,15824,70512,85885,39451,39774,41592,84438,730898,41457,39720,0]},"pktlen": {"min":66,"avg":662.3,"max":1514,"stddev":653.4,"var":426995.3,"ent":4.2,"data": [78,74,66,571,632,965,66,578,642,1514,66,1514,1514,1514,86,78,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,78,86,78,66]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2131,"source":"netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319066015206,"flow_dst_last_pkt_time":1484319066064571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":19133,"midstream":0,"thread_ts_usec":1484319066064571,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2593,"avg":93284.4,"max":471964,"stddev":119313.2,"var":14235634688.0,"ent":4.1,"data": [26070,27491,2593,46530,5363,49411,29634,29502,8466,38422,5397,39840,38400,39693,140326,138333,356578,206910,471964,29274,417442,40849,81521,44012,43364,83015,187750,28619,25160,184386,25502]},"pktlen": {"min":66,"avg":698.8,"max":1514,"stddev":659.1,"var":434476.8,"ent":4.3,"data": [78,74,66,575,635,1514,66,677,66,581,643,1514,66,1514,66,1514,1514,94,1514,78,66,1514,1514,66,1514,66,1514,86,78,66,1514,1514]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2195,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5292,"avg":101928.1,"max":730898,"stddev":155663.8,"var":24231225344.0,"ent":4.0,"data": [30477,31515,13216,64005,5292,56409,6142,68156,5406,71534,109518,202677,164827,560321,47319,78954,279545,27696,94465,26601,26144,15824,70512,85885,39451,39774,41592,84438,730898,41457,39720]},"pktlen": {"min":66,"avg":662.3,"max":1514,"stddev":653.4,"var":426995.3,"ent":4.2,"data": [78,74,66,571,632,965,66,578,642,1514,66,1514,1514,1514,86,78,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,78,86,78,66]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070636683,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319070636683,"pkt":"gCqoTGHM5JjWH70UCABFAABAs25AAEAGoh\/AqAEHF\/YLhc\/aAFBx1HGxAAAAALAC\/\/84uwAAAgQFtAEDAwUBAQgKH2VGAgAAAAAEAgAA"}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2497,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319070655089,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWnIX9guFwKgBBwBQz9pdV1SucdRxsqAS\/\/+\/OwAAAgQFtAEDAwkEAggKgYtW3h9lRgI="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2499,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_src_last_pkt_time":1484319070656558,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319070656558,"pkt":"gCqoTGHM5JjWH70UCABFAAA0S\/NAAEAGCafAqAEHF\/YLhc\/aAFBx1HGyXVdUr4AQEBXd4QAAAQEICh9lRhWBi1be"}
 01383{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2501,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070660268,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":509,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":509,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070660268,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.133","http": {"url":"23.246.11.133\/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10","code":0,"content_type":"","user_agent":"AppleCoreMedia\/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)"}}}
-01892{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2608,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319072360005,"flow_dst_last_pkt_time":1484319072357645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":21986,"midstream":0,"thread_ts_usec":1484319072360005,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3710,"avg":111105.9,"max":530041,"stddev":160200.4,"var":25664157696.0,"ent":3.9,"data": [18406,19875,3710,28859,18073,45753,41559,39617,18474,45294,5405,31729,29350,29485,41132,41119,82225,87690,42083,64319,51529,299907,159779,515651,435957,526591,530041,39964,69880,40403,40425,0]},"pktlen": {"min":66,"avg":786.9,"max":1514,"stddev":666.8,"var":444580.8,"ent":4.4,"data": [78,74,66,575,634,1514,66,635,66,581,643,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,94,1514,78,1514,66,1514,1514,66,1514,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01890{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2608,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319072360005,"flow_dst_last_pkt_time":1484319072357645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":21986,"midstream":0,"thread_ts_usec":1484319072360005,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3710,"avg":111105.9,"max":530041,"stddev":160200.4,"var":25664157696.0,"ent":3.9,"data": [18406,19875,3710,28859,18073,45753,41559,39617,18474,45294,5405,31729,29350,29485,41132,41119,82225,87690,42083,64319,51529,299907,159779,515651,435957,526591,530041,39964,69880,40403,40425]},"pktlen": {"min":66,"avg":786.9,"max":1514,"stddev":666.8,"var":444580.8,"ent":4.4,"data": [78,74,66,575,634,1514,66,635,66,581,643,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,94,1514,78,1514,66,1514,1514,66,1514,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00911{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3223,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1484319033886061,"flow_src_last_pkt_time":1484319068012841,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":122,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":125,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1235,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319080860682,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","src_port":53776,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00905{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3223,"source":"netflix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1484319032865799,"flow_src_last_pkt_time":1484319032866374,"flow_dst_last_pkt_time":1484319032884052,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":329,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":562,"midstream":0,"thread_ts_usec":1484319080860682,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51543,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3223,"source":"netflix.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319035004050,"flow_src_last_pkt_time":1484319035004050,"flow_dst_last_pkt_time":1484319035024355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":55,"flow_dst_max_l4_payload_len":183,"flow_src_tot_l4_payload_len":55,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1484319080860682,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51949,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
@@ -328,7 +328,7 @@
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4216,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1484319091296070,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319091309083,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmoX9guNwKgBBwBQz+FsswOfwIA2EaAS\/\/85DQAAAgQFtAEDAwkEAggK\/T5Cox9lk1E="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4217,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_src_last_pkt_time":1484319091310850,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319091310850,"pkt":"gCqoTGHM5JjWH70UCABFAAA00UpAAEAGhEfAqAEHF\/YLjc\/hAFDAgDYRbLMDoIAQEBVXuAAAAQEICh9lk1\/9PkKj"}
 01383{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4218,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091314892,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":509,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":509,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319091314892,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8","code":0,"content_type":"","user_agent":"AppleCoreMedia\/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)"}}}
-01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4263,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091784359,"flow_dst_last_pkt_time":1484319091750098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":518,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1027,"flow_dst_tot_l4_payload_len":23476,"midstream":0,"thread_ts_usec":1484319091784359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":186,"avg":30397.3,"max":286066,"stddev":49910.1,"var":2491019008.0,"ent":4.0,"data": [13013,14780,4042,30273,839,3652,30261,186,16542,35559,2040,21479,3192,3317,13322,13300,26482,13309,13526,13848,42739,56409,14727,15199,71007,25498,25497,25504,51553,55156,286066,0]},"pktlen": {"min":66,"avg":833.0,"max":1514,"stddev":665.8,"var":443241.7,"ent":4.4,"data": [78,74,66,575,634,1514,677,66,66,584,643,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,86]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01876{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4263,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091784359,"flow_dst_last_pkt_time":1484319091750098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":518,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1027,"flow_dst_tot_l4_payload_len":23476,"midstream":0,"thread_ts_usec":1484319091784359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":186,"avg":30397.3,"max":286066,"stddev":49910.1,"var":2491019008.0,"ent":4.0,"data": [13013,14780,4042,30273,839,3652,30261,186,16542,35559,2040,21479,3192,3317,13322,13300,26482,13309,13526,13848,42739,56409,14727,15199,71007,25498,25497,25504,51553,55156,286066]},"pktlen": {"min":66,"avg":833.0,"max":1514,"stddev":665.8,"var":443241.7,"ent":4.4,"data": [78,74,66,575,634,1514,677,66,66,584,643,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,86]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00901{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":5060,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049641053,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":70,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1484319100899313,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51728,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":5060,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319048757894,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048776187,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":150,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":150,"midstream":0,"thread_ts_usec":1484319100899313,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":58102,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":5060,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049681348,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":329,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1484319100899313,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
@@ -378,7 +378,7 @@
 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6814,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319117827967,"flow_src_last_pkt_time":1484319117892631,"flow_dst_last_pkt_time":1484319117886937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319117892631,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6821,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319117885772,"flow_dst_last_pkt_time":1484319117930548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319117930548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6828,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319117827967,"flow_src_last_pkt_time":1484319117892631,"flow_dst_last_pkt_time":1484319117942410,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319117942410,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
-01859{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6875,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319118140455,"flow_dst_last_pkt_time":1484319118145946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2205,"flow_dst_tot_l4_payload_len":9578,"midstream":0,"thread_ts_usec":1484319118145946,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":140,"avg":20407.3,"max":141407,"stddev":28956.2,"var":838464256.0,"ent":3.9,"data": [52701,54230,4655,50068,892,45987,1145,402,2281,621,48897,36085,58570,140,1031,141407,13303,12185,4698,8739,8491,4498,3692,4536,12375,12816,15153,13884,6123,6182,6840,0]},"pktlen": {"min":66,"avg":434.8,"max":1514,"stddev":506.4,"var":256458.0,"ent":4.1,"data": [78,74,66,274,66,211,66,72,111,1514,564,66,66,1514,227,1514,66,559,66,1005,66,439,66,1306,66,1406,66,660,66,808,66,721]},"bins": {"c_to_s": [12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
+01857{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6875,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319118140455,"flow_dst_last_pkt_time":1484319118145946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2205,"flow_dst_tot_l4_payload_len":9578,"midstream":0,"thread_ts_usec":1484319118145946,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":140,"avg":20407.3,"max":141407,"stddev":28956.2,"var":838464256.0,"ent":3.9,"data": [52701,54230,4655,50068,892,45987,1145,402,2281,621,48897,36085,58570,140,1031,141407,13303,12185,4698,8739,8491,4498,3692,4536,12375,12816,15153,13884,6123,6182,6840]},"pktlen": {"min":66,"avg":434.8,"max":1514,"stddev":506.4,"var":256458.0,"ent":4.1,"data": [78,74,66,274,66,211,66,72,111,1514,564,66,66,1514,227,1514,66,559,66,1005,66,439,66,1306,66,1406,66,660,66,808,66,721]},"bins": {"c_to_s": [12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118629811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":1,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1484319118629811,"pkt":"gCqoTGHM5JjWH70UCABFAABDkmsAAP8RpeXAqAEHwKgBAd8FADUALzVHkfABAAABAAAAAAAABWExOTA3BGRzY2cGYWthbWFpA25ldAAAAQAB"}
 00998{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118629811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a1907.dscg.akamai.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -394,10 +394,10 @@
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6905,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_packet_id":3,"flow_src_last_pkt_time":1484319118675789,"flow_dst_last_pkt_time":1484319118674728,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319118675789,"pkt":"gCqoTGHM5JjWH70UCABFAAA0us1AAEAGOiPAqAEHuBnMCtAEAFDFgkYiq+D9DIAQEBUYOwAAAQEICh9l+cH\/\/WqN"}
 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6906,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319118676250,"flow_dst_last_pkt_time":1484319118672865,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118676250,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-1.nflximg.net","http": {"url":"art-1.nflximg.net\/4e36d\/6289889020d6cc6dfb3038c35564a41e1ca4e36d.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}}
 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6908,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118687774,"flow_dst_last_pkt_time":1484319118674728,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118687774,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-1.nflximg.net","http": {"url":"art-1.nflximg.net\/8b1fa\/eaa1b78cd72ca4dbdcab527691d2fcab37c8b1fa.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}}
-01581{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":63539.0,"max":500942,"stddev":121518.7,"var":14766798848.0,"ent":3.3,"data": [58292,61223,1798,70566,2939,1016,71265,11570,12325,13054,147,95,65707,781,52265,3649,191,91649,51753,301,140150,3732,3446,3903,5462,6438,5030,437212,863,500942,291945,0]},"pktlen": {"min":66,"avg":456.8,"max":1514,"stddev":552.3,"var":305076.8,"ent":4.1,"data": [78,74,66,583,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,803,66,1514,490,66,462,66,765,66,100,66,1514,686,66,1514]},"bins": {"c_to_s": [10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1]}}
+01579{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":63539.0,"max":500942,"stddev":121518.7,"var":14766798848.0,"ent":3.3,"data": [58292,61223,1798,70566,2939,1016,71265,11570,12325,13054,147,95,65707,781,52265,3649,191,91649,51753,301,140150,3732,3446,3903,5462,6438,5030,437212,863,500942,291945]},"pktlen": {"min":66,"avg":456.8,"max":1514,"stddev":552.3,"var":305076.8,"ent":4.1,"data": [78,74,66,583,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,803,66,1514,490,66,462,66,765,66,100,66,1514,686,66,1514]},"bins": {"c_to_s": [10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1]}}
 01612{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}}
-01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6965,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":508,"avg":36240.5,"max":99830,"stddev":21554.2,"var":464585632.0,"ent":4.7,"data": [16679,17740,11985,38478,508,12702,40101,27115,27112,58536,99830,81106,33879,23672,53768,53762,65076,48010,65429,13865,30914,13324,28733,40448,54528,28786,29443,29431,27518,25487,25489,0]},"pktlen": {"min":66,"avg":1160.7,"max":1514,"stddev":613.3,"var":376142.5,"ent":4.7,"data": [78,74,66,311,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
-01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6990,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":241,"avg":126007.9,"max":1416280,"stddev":340787.6,"var":116136157184.0,"ent":2.6,"data": [15432,16762,2055,27228,957,1055,27336,38112,39355,39938,44658,83445,40664,236734,277719,1389753,1416280,268,12835,48683,241,12768,12757,15934,13837,16300,12778,12746,23173,13285,13156,0]},"pktlen": {"min":66,"avg":781.5,"max":1514,"stddev":698.9,"var":488505.9,"ent":4.3,"data": [78,74,66,311,66,1514,1514,66,1514,66,1514,1514,66,1514,733,66,311,1514,1514,1514,66,66,1514,1514,66,1514,66,1514,1514,66,1514,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6965,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":508,"avg":36240.5,"max":99830,"stddev":21554.2,"var":464585632.0,"ent":4.7,"data": [16679,17740,11985,38478,508,12702,40101,27115,27112,58536,99830,81106,33879,23672,53768,53762,65076,48010,65429,13865,30914,13324,28733,40448,54528,28786,29443,29431,27518,25487,25489]},"pktlen": {"min":66,"avg":1160.7,"max":1514,"stddev":613.3,"var":376142.5,"ent":4.7,"data": [78,74,66,311,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
+01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6990,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":241,"avg":126007.9,"max":1416280,"stddev":340787.6,"var":116136157184.0,"ent":2.6,"data": [15432,16762,2055,27228,957,1055,27336,38112,39355,39938,44658,83445,40664,236734,277719,1389753,1416280,268,12835,48683,241,12768,12757,15934,13837,16300,12778,12746,23173,13285,13156]},"pktlen": {"min":66,"avg":781.5,"max":1514,"stddev":698.9,"var":488505.9,"ent":4.3,"data": [78,74,66,311,66,1514,1514,66,1514,66,1514,1514,66,1514,733,66,311,1514,1514,1514,66,66,1514,1514,66,1514,66,1514,1514,66,1514,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}}
 00917{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":147,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319110605814,"flow_dst_last_pkt_time":1484319110632202,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1427,"flow_dst_tot_l4_payload_len":193037,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
 00865{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319034890998,"flow_src_last_pkt_time":1484319034890998,"flow_dst_last_pkt_time":1484319034890998,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","l4_proto":2,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118652959,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":71,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":71,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -469,10 +469,10 @@
 ~~ total active/idle flows...: 61/61
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6808554 bytes
-~~ total memory freed........: 6808554 bytes
+~~ total memory allocated....: 6808310 bytes
+~~ total memory freed........: 6808310 bytes
 ~~ total allocations/frees...: 129497/129497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1911 chars
-~~ json string avg len.......: 1201 chars
+~~ json string max len.......: 1909 chars
+~~ json string avg len.......: 1200 chars
diff --git a/test/results/netflow-fritz.pcap.out b/test/results/netflow-fritz.pcap.out
index 94e351b1a..bd8a806af 100644
--- a/test/results/netflow-fritz.pcap.out
+++ b/test/results/netflow-fritz.pcap.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035674 bytes
-~~ total memory freed........: 6035674 bytes
+~~ total memory allocated....: 6035670 bytes
+~~ total memory freed........: 6035670 bytes
 ~~ total allocations/frees...: 121488/121488
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/netflowv9.pcap.out b/test/results/netflowv9.pcap.out
index b68226e76..f0db5c217 100644
--- a/test/results/netflowv9.pcap.out
+++ b/test/results/netflowv9.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035935 bytes
-~~ total memory freed........: 6035935 bytes
+~~ total memory allocated....: 6035931 bytes
+~~ total memory freed........: 6035931 bytes
 ~~ total allocations/frees...: 121497/121497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/nfsv2.pcap.out b/test/results/nfsv2.pcap.out
index 6b0573859..bb812f091 100644
--- a/test/results/nfsv2.pcap.out
+++ b/test/results/nfsv2.pcap.out
@@ -21,7 +21,7 @@
 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":124,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":124,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338490000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00618{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":944207338490000,"pkt":"AMCV4Bm+AMCV+E3TCABFAAB8jl8AAP8R6naLGRZmixkWAggBA\/8AaNSdXh0LlAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAEHtAAAAAgAAAAAAAAABAAAAYAAAQAAAAAAAAAAAAAAQEIUAALJaOEd1QgAFMCA4R3VCAAd6EDhHdUIAB3oQ"}
 00659{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"thread_ts_usec":944207338490000,"pkt":"AMCV+E3TAMCV4Bm+CABFAACYZMcAAP8RE\/OLGRYCixkWZgP\/CAEAhHghXh0LlQAAAAAAAAACAAGGowAAAAIAAAARAAAAAQAAADQ4R3XQAAAACXdlcnJtc2NoZQAAAAAAAAAAAAABAAAABQAAAAEAAAAAAAAAAgAAAAMAAAARAAAAAAAAAAAAEBCFAAAD5wAKAAAAALJaAAAAKQAKAAAAALJaAAAAKQ=="}
-01660{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338580000,"flow_dst_last_pkt_time":944207338580000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":128,"flow_src_tot_l4_payload_len":2168,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":944207338580000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":15000.0,"max":40000,"stddev":11180.3,"var":125000000.0,"ent":3.3,"data": [40000,40000,10000,10000,10000,10000,10000,10000,10000,10000,10000,10000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":70,"avg":147.5,"max":214,"stddev":43.1,"var":1860.8,"ent":4.9,"data": [166,138,166,90,174,70,174,70,206,170,166,138,166,138,174,170,198,138,174,170,174,70,174,70,174,170,174,70,214,70,166,138]},"bins": {"c_to_s": [0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
+01620{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338580000,"flow_dst_last_pkt_time":944207338580000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":128,"flow_src_tot_l4_payload_len":2168,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":944207338580000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":15000.0,"max":40000,"stddev":11180.3,"var":125000000.0,"ent":3.3,"data": [40000,40000,10000,10000,10000,10000,10000,10000,10000,10000,10000,10000]},"pktlen": {"min":70,"avg":147.5,"max":214,"stddev":43.1,"var":1860.8,"ent":4.9,"data": [166,138,166,90,174,70,174,70,206,170,166,138,166,138,174,170,198,138,174,170,174,70,174,70,174,170,174,70,214,70,166,138]},"bins": {"c_to_s": [0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338880000,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338880000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3293,"dst_port":111,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":944207338880000,"pkt":"AMCV+E3TAMCV4Bm+CABFAABcZRAAAEAR0uaLGRYCixkWZgzdAG8ASKDlOErjjgAAAAAAAAACAAGGoAAAAAMAAAADAAAAAAAAAAAAAAAAAAAAAAABhqUAAAABAAAAA3VkcAAAAAAAAAAAAA=="}
 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338880000,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338880000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3293,"dst_port":111,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
@@ -46,10 +46,10 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049937 bytes
-~~ total memory freed........: 6049937 bytes
+~~ total memory allocated....: 6049909 bytes
+~~ total memory freed........: 6049909 bytes
 ~~ total allocations/frees...: 121703/121703
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1665 chars
-~~ json string avg len.......: 1076 chars
+~~ json string max len.......: 1625 chars
+~~ json string avg len.......: 1056 chars
diff --git a/test/results/nfsv3.pcap.out b/test/results/nfsv3.pcap.out
index 4116ee0dc..4a0044246 100644
--- a/test/results/nfsv3.pcap.out
+++ b/test/results/nfsv3.pcap.out
@@ -25,7 +25,7 @@
 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397400000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":944207397400000,"pkt":"AMCV4Bm+AMCV+E3TCABFAACM5FMAAP8RlHKLGRZmixkWAggBA\/4AeFlmXh0L3AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAEHtAAAAAgAAAAAAAAABAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEIUAAAAAAACyWjhHdgwUQ\/0COEd16jDgNQI4R3XqMOA1Ag=="}
 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":944207397400000,"pkt":"AMCV+E3TAMCV4Bm+CABFAACcZUIAAP8RE3SLGRYCixkWZgP+CAEAiHd0Xh0L3QAAAAAAAAACAAGGowAAAAMAAAATAAAAAQAAADQ4R3YLAAAACXdlcnJtc2NoZQAAAAAAAAAAAAABAAAABQAAAAEAAAAAAAAAAgAAAAMAAAARAAAAAAAAAAAAAAAgABAQhQAAA+cACgAAAACyWgAAACkACgAAAACyWgAAACk="}
-01662{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397500000,"flow_dst_last_pkt_time":944207397500000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":2256,"flow_dst_tot_l4_payload_len":2044,"midstream":0,"thread_ts_usec":944207397500000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":16666.7,"max":50000,"stddev":14907.1,"var":222222224.0,"ent":3.2,"data": [10000,10000,50000,50000,10000,10000,10000,10000,10000,10000,10000,10000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":74,"avg":176.4,"max":314,"stddev":63.4,"var":4021.9,"ent":4.9,"data": [170,154,170,206,170,210,170,182,178,74,178,74,226,314,170,154,206,186,178,74,178,74,178,282,178,74,222,302,178,282,178,74]},"bins": {"c_to_s": [0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
+01622{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397500000,"flow_dst_last_pkt_time":944207397500000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":2256,"flow_dst_tot_l4_payload_len":2044,"midstream":0,"thread_ts_usec":944207397500000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":16666.7,"max":50000,"stddev":14907.1,"var":222222224.0,"ent":3.2,"data": [10000,10000,50000,50000,10000,10000,10000,10000,10000,10000,10000,10000]},"pktlen": {"min":74,"avg":176.4,"max":314,"stddev":63.4,"var":4021.9,"ent":4.9,"data": [170,154,170,206,170,210,170,182,178,74,178,74,226,314,170,154,206,186,178,74,178,74,178,282,178,74,222,302,178,282,178,74]},"bins": {"c_to_s": [0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397740000,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397740000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3299,"dst_port":111,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":944207397740000,"pkt":"AMCV+E3TAMCV4Bm+CABFAABcZXwAAEAR0nqLGRYCixkWZgzjAG8ASDjzOExLeQAAAAAAAAACAAGGoAAAAAMAAAADAAAAAAAAAAAAAAAAAAAAAAABhqUAAAABAAAAA3VkcAAAAAAAAAAAAA=="}
 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397740000,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397740000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3299,"dst_port":111,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
@@ -51,10 +51,10 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6050753 bytes
-~~ total memory freed........: 6050753 bytes
+~~ total memory allocated....: 6050721 bytes
+~~ total memory freed........: 6050721 bytes
 ~~ total allocations/frees...: 121685/121685
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1667 chars
-~~ json string avg len.......: 1077 chars
+~~ json string max len.......: 1627 chars
+~~ json string avg len.......: 1057 chars
diff --git a/test/results/nintendo.pcap.out b/test/results/nintendo.pcap.out
index d31961758..e9ece0913 100644
--- a/test/results/nintendo.pcap.out
+++ b/test/results/nintendo.pcap.out
@@ -25,7 +25,7 @@
 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731323269434,"flow_src_last_pkt_time":1500731323269434,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731323269434,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1500731323270842,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731323270842,"pkt":"AA6OGXEMfLuKifuECABFAABoEWAAAEARLjDAqAxyI55KPcuXgjcAVAoAMquYZAIAAACgRQAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjfL9\/FaWie4QujpeJZMzmHA=="}
 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1500731323270871,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731323270871,"pkt":"AA6OGXEMfLuKifuECABFAABoEWEAAEARLi\/AqAxyI55KPcuXgjcAVCUqMquYZAIAAACgRgAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjeofEEG4mAZPKsmIYZ3XQPw=="}
-01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":69,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1500731320644357,"flow_src_last_pkt_time":1500731323575958,"flow_dst_last_pkt_time":1500731323714896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":812,"flow_src_tot_l4_payload_len":1264,"flow_dst_tot_l4_payload_len":2736,"midstream":0,"thread_ts_usec":1500731323714896,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"91.8.243.35","src_port":52119,"dst_port":49432,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":193617.4,"max":1729670,"stddev":331922.2,"var":110172323840.0,"ent":3.6,"data": [87919,239629,335441,89838,30639,131192,103304,499986,507312,130872,234805,19308,15810,5164,16850,12585,53490,8758,197,60833,14170,505639,501514,5142,514446,94641,233,1729670,53,52619,81,0]},"pktlen": {"min":102,"avg":167.0,"max":854,"stddev":179.5,"var":32207.0,"ent":4.5,"data": [102,102,198,230,118,102,150,118,102,118,150,134,118,118,118,854,118,854,102,102,118,102,102,102,102,102,118,118,118,118,118,118]},"bins": {"c_to_s": [0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
+01748{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":69,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1500731320644357,"flow_src_last_pkt_time":1500731323575958,"flow_dst_last_pkt_time":1500731323714896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":812,"flow_src_tot_l4_payload_len":1264,"flow_dst_tot_l4_payload_len":2736,"midstream":0,"thread_ts_usec":1500731323714896,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"91.8.243.35","src_port":52119,"dst_port":49432,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":193617.4,"max":1729670,"stddev":331922.2,"var":110172323840.0,"ent":3.6,"data": [87919,239629,335441,89838,30639,131192,103304,499986,507312,130872,234805,19308,15810,5164,16850,12585,53490,8758,197,60833,14170,505639,501514,5142,514446,94641,233,1729670,53,52619,81]},"pktlen": {"min":102,"avg":167.0,"max":854,"stddev":179.5,"var":32207.0,"ent":4.5,"data": [102,102,198,230,118,102,150,118,102,118,150,134,118,118,118,854,118,854,102,102,118,102,102,102,102,102,118,118,118,118,118,118]},"bins": {"c_to_s": [0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731326270619,"flow_src_last_pkt_time":1500731326270619,"flow_dst_last_pkt_time":1500731326270619,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":688,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":688,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":688,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731326270619,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 01453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1500731326270619,"flow_dst_last_pkt_time":1500731326270619,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":730,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":730,"pkt_l4_len":696,"thread_ts_usec":1500731326270619,"pkt":"AA6OGXEMfLuKifuECABFAALMEW8AAEARl9zAqAxyNArNscuXhicCuLNGMquYZAEAAACsAAAACAICgAAAAAAAZU1IgACGJwAAAAAPAfz\/AmL\/\/\/\/\/\/\/\/\/\/\/\/\/DNhnHrgUDeqh96EJudpqr7HTWmwuyiNXAoN8EJ3L9Q9BYy53b12QoycQBbgF0+MGumCDqya3DRDi\/FgfUDp8jmtF0eLtdJawWMd0Uh7gRi0nJAedvr+L4LDG+1PkKHdQjXkwcc63uSwXLbhZGs5rZ8pLuCki3H7JLOG5CI96WiAzLSOgOT5MmMOkBR9lHnUbly8I57OvnsPjzu2ZoGj750rOuJoq4PDp+HTtcuUkR\/yuCERU5DE5fS3WD79Od2EljENI\/Aj0rbyEoWaVKXUGbMeIN\/PHtUKEKwxkiH\/DZpj\/dOZVZle2A+wpaUtVb5Kkq8m0M0sj8U0Nr8\/f9iy5nCcQHobd29hf9qcfXx\/tCnteI0cP0tyykizOxpnlPK2I0STXsPD0wxOnU\/OOfu8Wm3V94s2PEbCeAbRx8PvXHbjtAm8AnmQMBMeFM6TQwwpijOYTfaXxrgmiFU\/AHPdepp0ILcWD5QSKt4MWDsJ\/eC61SjGvCVRvXn2JW5KB\/4JQcfZHw4S\/auTmIFCllOyidDXFohQ4NU8A9vt0e5qrI\/cou3U09qQhgu6ncsvX+jQusCyJhx1EpdaFLaOseb4xo0IjeHtTg5uKzMiP+l3dg6BJfcICpsS0fKy4Lvcxzq4iHlV\/CkZw5k\/5qPEe1WClYIIYAQ1QuHKqZOMgl0qEP1biit38pQoNuI5A\/WZ4yptUyrSpaVacwxp5yZkU47ddcg7lId\/wkwQjzVN9BmlVIcEupSyiP64T8RypU57m5OsmKDUV8cUXr\/nGnwi\/96TbsG+A6i29VkTJzG6j04DbRd\/2rnSbi4lJUC2\/\/AUQQJGvBPVxZ\/JcWHrRv6UUWsmJyg=="}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":89,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731326599476,"flow_src_last_pkt_time":1500731326599476,"flow_dst_last_pkt_time":1500731326599476,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731326599476,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":18874,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -77,7 +77,7 @@
 01200{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":156,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341241134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731341246098,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01260{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341285479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":1348,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":1348,"midstream":0,"thread_ts_usec":1500731341285479,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01577{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341285901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":1348,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":2696,"midstream":0,"thread_ts_usec":1500731341285901,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}}}
-01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1500731322454625,"flow_src_last_pkt_time":1500731342015923,"flow_dst_last_pkt_time":1500731342041758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":1094,"midstream":1,"thread_ts_usec":1500731342041758,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":1262852.6,"max":14019058,"stddev":3442938.0,"var":11853821378560.0,"ent":2.4,"data": [6277,307132,3508675,3481620,246,43,276417,18546,55237,145,35743,210876,214177,255332,13944464,14019058,757,51,5265,332523,29922,280387,254222,215658,3394,13561,231064,4335,258992,453544,730768,0]},"pktlen": {"min":66,"avg":134.2,"max":471,"stddev":98.4,"var":9678.6,"ent":4.7,"data": [166,117,66,133,66,124,113,66,117,166,166,66,66,117,66,471,66,113,400,166,66,117,66,382,66,123,113,66,117,66,166,117]},"bins": {"c_to_s": [8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1500731322454625,"flow_src_last_pkt_time":1500731342015923,"flow_dst_last_pkt_time":1500731342041758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":1094,"midstream":1,"thread_ts_usec":1500731342041758,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":1262852.6,"max":14019058,"stddev":3442938.0,"var":11853821378560.0,"ent":2.4,"data": [6277,307132,3508675,3481620,246,43,276417,18546,55237,145,35743,210876,214177,255332,13944464,14019058,757,51,5265,332523,29922,280387,254222,215658,3394,13561,231064,4335,258992,453544,730768]},"pktlen": {"min":66,"avg":134.2,"max":471,"stddev":98.4,"var":9678.6,"ent":4.7,"data": [166,117,66,133,66,124,113,66,117,166,166,66,66,117,66,471,66,113,400,166,66,117,66,382,66,123,113,66,117,66,166,117]},"bins": {"c_to_s": [8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731342849734,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731342849734,"pkt":"AA6OGXEMfLuKifuECABFAABoEaUAAAQRdQ7AqAxyuXapQdpra4AAVCIdMquYZAIAAADswAAAiVxWTHQXYLkMmEhv3TFhCo9D90XwqWXbgOlZDx\/Hd+4rX5hDUY6wfFQBAZE4XnJazusJzbVQnhevgQppjVzdvQ=="}
 00863{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731342849734,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
@@ -103,9 +103,9 @@
 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731343274328,"flow_src_last_pkt_time":1500731343274328,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731343274328,"l3_proto":"ip4","src_ip":"151.6.184.98","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":227,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1500731343274498,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1500731343274498,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsAs38AAAAARQAAaBG2AAABEertwKgMclE9noraa8o5AFSchg=="}
 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1500731343274660,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1500731343274660,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsA7ykAAAAARQAAaBG3AAABEerswKgMclE9noraa8o5AFRg3A=="}
-01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":310,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731344006747,"flow_dst_last_pkt_time":1500731344120690,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2472,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344120690,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":78321.6,"max":754134,"stddev":152593.1,"var":23284658176.0,"ent":3.2,"data": [280,397,210011,243,431,203806,304,212,311877,2339,183,754134,1127,30674,588,242272,245592,5517,2752,1899,125604,98,25,109131,222,10721,20118,10437,105846,2222,28907,0]},"pktlen": {"min":102,"avg":168.0,"max":886,"stddev":186.2,"var":34652.0,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,102,118,118,118,118,886,102,886,118,118,102]},"bins": {"c_to_s": [0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
-01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731343061460,"flow_src_last_pkt_time":1500731344751616,"flow_dst_last_pkt_time":1500731344671142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":4168,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344751616,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":106446.4,"max":757918,"stddev":188381.8,"var":35487694848.0,"ent":3.4,"data": [726,2728,200750,236,363,313750,216,309,757918,67,245897,246,38434,238,116689,3047,25905,110485,1189,79734,7959,87905,10077,91853,20145,506365,607064,9714,10174,12917,36738,0]},"pktlen": {"min":102,"avg":221.0,"max":886,"stddev":231.8,"var":53743.0,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,182,102,886,102,886,102,118,118,102,358,854,486,486]},"bins": {"c_to_s": [0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
-01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1500731343266581,"flow_src_last_pkt_time":1500731344811760,"flow_dst_last_pkt_time":1500731344805333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2304,"flow_dst_tot_l4_payload_len":1712,"midstream":0,"thread_ts_usec":1500731344811760,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":99481.6,"max":649265,"stddev":183756.7,"var":33766533120.0,"ent":3.2,"data": [295,399,313495,260,289,284287,137,381,629371,5230,43658,5349,61371,137,131610,65365,7948,186,836,31052,435,67583,2946,484,7525,105852,5669,103301,9836,549379,649265,0]},"pktlen": {"min":102,"avg":167.5,"max":886,"stddev":186.3,"var":34709.8,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,118,118,102,118,118,886,102,886,102,118,118,102]},"bins": {"c_to_s": [0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
+01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":310,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731344006747,"flow_dst_last_pkt_time":1500731344120690,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2472,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344120690,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":78321.6,"max":754134,"stddev":152593.1,"var":23284658176.0,"ent":3.2,"data": [280,397,210011,243,431,203806,304,212,311877,2339,183,754134,1127,30674,588,242272,245592,5517,2752,1899,125604,98,25,109131,222,10721,20118,10437,105846,2222,28907]},"pktlen": {"min":102,"avg":168.0,"max":886,"stddev":186.2,"var":34652.0,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,102,118,118,118,118,886,102,886,118,118,102]},"bins": {"c_to_s": [0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
+01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731343061460,"flow_src_last_pkt_time":1500731344751616,"flow_dst_last_pkt_time":1500731344671142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":4168,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344751616,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":106446.4,"max":757918,"stddev":188381.8,"var":35487694848.0,"ent":3.4,"data": [726,2728,200750,236,363,313750,216,309,757918,67,245897,246,38434,238,116689,3047,25905,110485,1189,79734,7959,87905,10077,91853,20145,506365,607064,9714,10174,12917,36738]},"pktlen": {"min":102,"avg":221.0,"max":886,"stddev":231.8,"var":53743.0,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,182,102,886,102,886,102,118,118,102,358,854,486,486]},"bins": {"c_to_s": [0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
+01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1500731343266581,"flow_src_last_pkt_time":1500731344811760,"flow_dst_last_pkt_time":1500731344805333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2304,"flow_dst_tot_l4_payload_len":1712,"midstream":0,"thread_ts_usec":1500731344811760,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":99481.6,"max":649265,"stddev":183756.7,"var":33766533120.0,"ent":3.2,"data": [295,399,313495,260,289,284287,137,381,629371,5230,43658,5349,61371,137,131610,65365,7948,186,836,31052,435,67583,2946,484,7525,105852,5669,103301,9836,549379,649265]},"pktlen": {"min":102,"avg":167.5,"max":886,"stddev":186.3,"var":34709.8,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,118,118,102,118,118,886,102,886,102,118,118,102]},"bins": {"c_to_s": [0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
 00881{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1500731340831670,"flow_src_last_pkt_time":1500731340837106,"flow_dst_last_pkt_time":1500731340889684,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":16,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"AmazonAWS","proto_id":"265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00765{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1500731340831670,"flow_src_last_pkt_time":1500731340837106,"flow_dst_last_pkt_time":1500731340889684,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":16,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00908{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1500731341194858,"flow_src_last_pkt_time":1500731341194858,"flow_dst_last_pkt_time":1500731341194969,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":239,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":51035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Nintendo","proto_id":"5.173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
@@ -142,10 +142,10 @@
 ~~ total active/idle flows...: 21/21
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6115089 bytes
-~~ total memory freed........: 6115089 bytes
+~~ total memory allocated....: 6115005 bytes
+~~ total memory freed........: 6115005 bytes
 ~~ total allocations/frees...: 122701/122701
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 1770 chars
-~~ json string avg len.......: 1131 chars
+~~ json string max len.......: 1768 chars
+~~ json string avg len.......: 1130 chars
diff --git a/test/results/nntp.pcap.out b/test/results/nntp.pcap.out
index 8a155f184..609aa8d95 100644
--- a/test/results/nntp.pcap.out
+++ b/test/results/nntp.pcap.out
@@ -5,7 +5,7 @@
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1258844926423672,"flow_dst_last_pkt_time":1258844926423829,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1258844926423829,"pkt":"ABQqM3R+AEBj1fcCCABFAAA8AABAAEAGPVHAqL4FwKi+FAB32U6dVo1l2dJVlaASFqBxAwAAAgQFtAQCCAoKz1tgAMgoAwEDAwQ="}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1258844926423850,"flow_dst_last_pkt_time":1258844926423829,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1258844926423850,"pkt":"AEBj1fcCABQqM3R+CABFAAA0fZhAAEAGv8DAqL4UwKi+BdlOAHfZ0lWVnVaNZoAQAFy2EAAAAQEICgDIKAMKz1tg"}
 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844926441100,"flow_dst_last_pkt_time":1258844926440830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":124,"flow_src_tot_l4_payload_len":13,"flow_dst_tot_l4_payload_len":124,"midstream":0,"thread_ts_usec":1258844926441100,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":4345908.0,"max":25684268,"stddev":7782391.0,"var":60565611347968.0,"ent":3.1,"data": [157,178,17001,17072,178,379,673149,673694,608,343,40452,19518042,19565845,7986,4770071,4784435,14326,95,29,25683555,25684268,770,12078373,12090740,12467,209,55,4543973,116,4544308,283,0]},"pktlen": {"min":54,"avg":219.9,"max":1514,"stddev":397.4,"var":157950.1,"ent":3.7,"data": [74,74,66,190,66,79,66,113,92,66,115,66,79,1294,66,79,1514,66,186,66,97,116,66,77,1514,66,332,66,72,66,94,54]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":4345908.0,"max":25684268,"stddev":7782391.0,"var":60565611347968.0,"ent":3.1,"data": [157,178,17001,17072,178,379,673149,673694,608,343,40452,19518042,19565845,7986,4770071,4784435,14326,95,29,25683555,25684268,770,12078373,12090740,12467,209,55,4543973,116,4544308,283]},"pktlen": {"min":54,"avg":219.9,"max":1514,"stddev":397.4,"var":157950.1,"ent":3.7,"data": [74,74,66,190,66,79,66,113,92,66,115,66,79,1294,66,79,1514,66,186,66,97,116,66,77,1514,66,332,66,72,66,94,54]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00904{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":4921,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1258844993785292}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038621 bytes
-~~ total memory freed........: 6038621 bytes
+~~ total memory allocated....: 6038617 bytes
+~~ total memory freed........: 6038617 bytes
 ~~ total allocations/frees...: 121520/121520
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1738 chars
-~~ json string avg len.......: 1054 chars
+~~ json string max len.......: 1736 chars
+~~ json string avg len.......: 1053 chars
diff --git a/test/results/no_sni.pcap.out b/test/results/no_sni.pcap.out
index 79506b987..654b2782d 100644
--- a/test/results/no_sni.pcap.out
+++ b/test/results/no_sni.pcap.out
@@ -13,12 +13,12 @@
 01149{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444629799,"flow_dst_last_pkt_time":1604822444807971,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":682,"midstream":0,"thread_ts_usec":1604822444807971,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.3","ja3":"f14ec85ee5580a29f6523e24e5d3d527","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822444913120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822444913120,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822444913120,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1604822444913120,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGlCjAqAF3aBB8YMmcAbs\/DuN6AAAAALAC\/\/+FPgAAAgQFtAEDAwYBAQgKKlLy+gAAAAAEAgAA"}
-01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444918595,"flow_dst_last_pkt_time":1604822444918472,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":1416,"midstream":0,"thread_ts_usec":1604822444918595,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":27858.2,"max":180261,"stddev":53974.2,"var":2913210624.0,"ent":3.0,"data": [137944,138022,4673,280,93,180261,3035,178242,156,4,141,2334,6395,1417,5511,15440,136,687,115,1388,73966,13479,4177,2946,6,76790,62,5422,2521,12,7950,0]},"pktlen": {"min":54,"avg":141.2,"max":736,"stddev":163.8,"var":26828.9,"ent":4.4,"data": [78,66,54,670,60,224,60,736,54,116,60,54,138,60,85,54,205,140,114,146,85,60,60,60,380,85,54,54,60,307,85,54]},"bins": {"c_to_s": [10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
+01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444918595,"flow_dst_last_pkt_time":1604822444918472,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":1416,"midstream":0,"thread_ts_usec":1604822444918595,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":27858.2,"max":180261,"stddev":53974.2,"var":2913210624.0,"ent":3.0,"data": [137944,138022,4673,280,93,180261,3035,178242,156,4,141,2334,6395,1417,5511,15440,136,687,115,1388,73966,13479,4177,2946,6,76790,62,5422,2521,12,7950]},"pktlen": {"min":54,"avg":141.2,"max":736,"stddev":163.8,"var":26828.9,"ent":4.4,"data": [78,66,54,670,60,224,60,736,54,116,60,54,138,60,85,54,205,140,114,146,85,60,60,60,380,85,54,54,60,307,85,54]},"bins": {"c_to_s": [10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1604822445034293,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADkGmzRoEHxgwKgBdwG7yZyEa\/jPPw7je4AS\/\/9djQAAAgQFeAEBBAIBAwMK"}
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1604822445034393,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1604822445034393,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGlEDAqAF3aBB8YMmcAbs\/DuN7hGv40FAQEACOJgAA"}
 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445039824,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":947,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822445039824,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445039824,"flow_dst_last_pkt_time":1604822445135087,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":232,"flow_src_tot_l4_payload_len":947,"flow_dst_tot_l4_payload_len":232,"midstream":0,"thread_ts_usec":1604822445135087,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":73,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445694881,"flow_dst_last_pkt_time":1604822445694834,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2075,"flow_dst_tot_l4_payload_len":8322,"midstream":0,"thread_ts_usec":1604822445694881,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":50434.7,"max":472643,"stddev":107031.5,"var":11455736832.0,"ent":3.0,"data": [121173,121273,5431,100429,365,95332,957,4750,120,77068,533,71774,182,427,594,188,76917,15494,380381,472643,2763,2757,2091,2075,1637,1645,1367,284,1629,603,593,0]},"pktlen": {"min":54,"avg":381.0,"max":1514,"stddev":489.4,"var":239474.4,"ent":4.0,"data": [78,66,54,1001,60,286,54,118,224,917,60,566,54,60,85,54,85,60,60,1092,54,844,54,1445,54,1445,54,1514,407,54,1178,54]},"bins": {"c_to_s": [12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":73,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445694881,"flow_dst_last_pkt_time":1604822445694834,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2075,"flow_dst_tot_l4_payload_len":8322,"midstream":0,"thread_ts_usec":1604822445694881,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":50434.7,"max":472643,"stddev":107031.5,"var":11455736832.0,"ent":3.0,"data": [121173,121273,5431,100429,365,95332,957,4750,120,77068,533,71774,182,427,594,188,76917,15494,380381,472643,2763,2757,2091,2075,1637,1645,1367,284,1629,603,593]},"pktlen": {"min":54,"avg":381.0,"max":1514,"stddev":489.4,"var":239474.4,"ent":4.0,"data": [78,66,54,1001,60,286,54,118,224,917,60,566,54,60,85,54,85,60,60,1092,54,844,54,1445,54,1445,54,1514,407,54,1178,54]},"bins": {"c_to_s": [12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822447227531,"flow_src_last_pkt_time":1604822447227531,"flow_dst_last_pkt_time":1604822447227531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822447227531,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1604822447227531,"flow_dst_last_pkt_time":1604822447227531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1604822447227531,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGSmLAqAF3aBHGJcmzAbtjbUROAAAAALAC\/\/+t4gAAAgQFtAEDAwYBAQgKKlL7RgAAAAAEAgAA"}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":789,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822447249969,"flow_src_last_pkt_time":1604822447249969,"flow_dst_last_pkt_time":1604822447249969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822447249969,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -49,7 +49,7 @@
 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":944,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447374307,"flow_dst_last_pkt_time":1604822447500011,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447500011,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":948,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287617,"flow_src_last_pkt_time":1604822447380742,"flow_dst_last_pkt_time":1604822447506495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447506495,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":952,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287254,"flow_src_last_pkt_time":1604822447386869,"flow_dst_last_pkt_time":1604822447515088,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447515088,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1051,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447783794,"flow_dst_last_pkt_time":1604822447783495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5882,"midstream":0,"thread_ts_usec":1604822447783794,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":32040.9,"max":143742,"stddev":43042.9,"var":1852691072.0,"ent":3.8,"data": [81926,82025,5271,129371,1703,673,126443,63976,9103,148,11896,1581,143742,57056,79239,1596,80830,1627,14677,255,13311,11856,23,12136,91,25357,25014,814,775,5252,5500,0]},"pktlen": {"min":54,"avg":285.3,"max":1514,"stddev":409.4,"var":167573.6,"ent":4.0,"data": [78,66,54,766,60,1514,1385,54,118,224,380,129,129,1385,66,60,566,54,85,60,85,54,581,85,54,54,368,54,85,54,368,54]},"bins": {"c_to_s": [12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1051,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447783794,"flow_dst_last_pkt_time":1604822447783495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5882,"midstream":0,"thread_ts_usec":1604822447783794,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":32040.9,"max":143742,"stddev":43042.9,"var":1852691072.0,"ent":3.8,"data": [81926,82025,5271,129371,1703,673,126443,63976,9103,148,11896,1581,143742,57056,79239,1596,80830,1627,14677,255,13311,11856,23,12136,91,25357,25014,814,775,5252,5500]},"pktlen": {"min":54,"avg":285.3,"max":1514,"stddev":409.4,"var":167573.6,"ent":4.0,"data": [78,66,54,766,60,1514,1385,54,118,224,380,129,129,1385,66,60,566,54,85,60,85,54,581,85,54,54,368,54,85,54,368,54]},"bins": {"c_to_s": [12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00922{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447785923,"flow_dst_last_pkt_time":1604822447869770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5913,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":10,"flow_first_seen":1604822447287254,"flow_src_last_pkt_time":1604822447844256,"flow_dst_last_pkt_time":1604822447844195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":3333,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":10,"flow_first_seen":1604822447287617,"flow_src_last_pkt_time":1604822447839595,"flow_dst_last_pkt_time":1604822447839532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":3333,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -67,10 +67,10 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6127710 bytes
-~~ total memory freed........: 6127710 bytes
+~~ total memory allocated....: 6127678 bytes
+~~ total memory freed........: 6127678 bytes
 ~~ total allocations/frees...: 122780/122780
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1730 chars
-~~ json string avg len.......: 1109 chars
+~~ json string max len.......: 1728 chars
+~~ json string avg len.......: 1108 chars
diff --git a/test/results/ocs.pcap.out b/test/results/ocs.pcap.out
index 273460c25..90b1e6b26 100644
--- a/test/results/ocs.pcap.out
+++ b/test/results/ocs.pcap.out
@@ -59,7 +59,7 @@
 01150{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":59,"source":"ocs.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":0,"flow_first_seen":1449652788109953,"flow_src_last_pkt_time":1449652788195073,"flow_dst_last_pkt_time":1449652788109953,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652788195073,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":36680,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.OCS","proto_id":"91.218","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"ocs.labgency.ws","tls": {"version":"TLSv1","ja3":"0534a22b266a64a5cc9a90f7b5c483cc","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1449652788595794,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652788595794,"pkt":"RQAAPDy5QABABnycwKi0AomHgzS0VhQCr\/++QwAAAACgAjkI02AAAAIEBbQEAggKADWDYAAAAAABAwMG"}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1449652790602154,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652790602154,"pkt":"RQAAPDy6QABABnybwKi0AomHgzS0VhQCr\/++QwAAAACgAjkI0pgAAAIEBbQEAggKADWEKAAAAAABAwMG"}
-01698{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"ocs.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652787983929,"flow_src_last_pkt_time":1449652790713183,"flow_dst_last_pkt_time":1449652787983929,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":663,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652790713183,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":49881,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":450,"avg":88040.5,"max":928563,"stddev":172609.9,"var":29794174976.0,"ent":3.5,"data": [83797,14275,246872,572,450,68391,1837,71492,506,5433,4137,41728,146026,90832,71054,77421,63432,3718,80468,1653,86121,564,67336,32599,43283,386587,73735,2510,928563,31722,2140,0]},"pktlen": {"min":52,"avg":83.1,"max":715,"stddev":113.8,"var":12942.2,"ent":4.5,"data": [60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64]},"bins": {"c_to_s": [31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01696{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"ocs.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652787983929,"flow_src_last_pkt_time":1449652790713183,"flow_dst_last_pkt_time":1449652787983929,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":663,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652790713183,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":49881,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":450,"avg":88040.5,"max":928563,"stddev":172609.9,"var":29794174976.0,"ent":3.5,"data": [83797,14275,246872,572,450,68391,1837,71492,506,5433,4137,41728,146026,90832,71054,77421,63432,3718,80468,1653,86121,564,67336,32599,43283,386587,73735,2510,928563,31722,2140]},"pktlen": {"min":52,"avg":83.1,"max":715,"stddev":113.8,"var":12942.2,"ent":4.5,"data": [60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64]},"bins": {"c_to_s": [31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"ocs.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1449652792355546,"flow_dst_last_pkt_time":1449652784341686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652792355546,"pkt":"RQAAPKb0QABABiV3wKi0AkDpuLy6UxRsAv3YCQAAAACgAjkIcdQAAAIEBbQEAggKADWE2AAAAAABAwMG"}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":241,"source":"ocs.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1449652797357367,"flow_src_last_pkt_time":1449652797357367,"flow_dst_last_pkt_time":1449652797357367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652797357367,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"64.233.184.188","src_port":32946,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3}
 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":241,"source":"ocs.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1449652797357367,"flow_dst_last_pkt_time":1449652797357367,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652797357367,"pkt":"RQAAPAMUQABABslXwKi0AkDpuLyAsgG7QZiF2AAAAACgAjkIz8gAAAIEBbQEAggKADWGzAAAAAABAwMG"}
@@ -88,7 +88,7 @@
 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":865,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1449652842700226,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":52,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":52,"pkt_l4_len":32,"thread_ts_usec":1449652842700226,"pkt":"RQAAND8aQABABgM0wKi0ArL40NKmXgBQrzCnZDkypeeAEADlhQYAAAEBCAoANZiCGkFpBQ=="}
 00708{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":866,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1449652842701752,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":204,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":204,"pkt_l4_len":184,"thread_ts_usec":1449652842701752,"pkt":"RQAAzD8bQABABgKbwKi0ArL40NKmXgBQrzCnZDkypeeAGADlkB4AAAEBCAoANZiCGkFpBUdFVCAvZGF0YV9wbGF0ZWZvcm1lL3Byb2dyYW0vMTg0OTYvdHZfZGV0YWlsX21vcnRkdW5wb3VydzAwMTIyMzZfNzJmNmMuanBnIEhUVFAvMS4xDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCkhvc3Q6IHd3dy5vY3MuZnINCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0K"}
 01030{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":866,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652842701752,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652842701752,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.ocs.fr","http": {"url":"www.ocs.fr\/data_plateforme\/program\/18496\/tv_detail_mortdunpourw0012236_72f6c.jpg","code":0,"content_type":"","user_agent":""}}}
-01681{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652843470951,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652843470951,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":27165.3,"max":79495,"stddev":29589.7,"var":875550464.0,"ent":4.0,"data": [71399,1526,54762,1106,3570,59902,605,77,5328,64776,1667,1533,79495,5458,58361,1849,64604,1987,67520,26503,42864,25995,65439,972,48553,1253,1960,1270,75524,1445,4821,0]},"pktlen": {"min":52,"avg":63.9,"max":204,"stddev":26.3,"var":690.5,"ent":4.9,"data": [60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72]},"bins": {"c_to_s": [31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01679{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652843470951,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652843470951,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":27165.3,"max":79495,"stddev":29589.7,"var":875550464.0,"ent":4.0,"data": [71399,1526,54762,1106,3570,59902,605,77,5328,64776,1667,1533,79495,5458,58361,1849,64604,1987,67520,26503,42864,25995,65439,972,48553,1253,1960,1270,75524,1445,4821]},"pktlen": {"min":52,"avg":63.9,"max":204,"stddev":26.3,"var":690.5,"ent":4.9,"data": [60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72]},"bins": {"c_to_s": [31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00751{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":938,"source":"ocs.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1449652798230623,"flow_src_last_pkt_time":1449652798230623,"flow_dst_last_pkt_time":1449652798230623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652845277546,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"8.8.8.8","src_port":11793,"dst_port":53,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3}
 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652846380718,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":156,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":308,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00756{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":0,"flow_first_seen":1449652786395470,"flow_src_last_pkt_time":1449652787578542,"flow_dst_last_pkt_time":1449652786395470,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":84,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"137.135.129.206","src_port":44959,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3}
@@ -121,10 +121,10 @@
 ~~ total active/idle flows...: 20/20
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6105101 bytes
-~~ total memory freed........: 6105101 bytes
+~~ total memory allocated....: 6105021 bytes
+~~ total memory freed........: 6105021 bytes
 ~~ total allocations/frees...: 122656/122656
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1703 chars
-~~ json string avg len.......: 1095 chars
+~~ json string max len.......: 1701 chars
+~~ json string avg len.......: 1094 chars
diff --git a/test/results/ocsp.pcapng.out b/test/results/ocsp.pcapng.out
index 8c7aff7e9..110db02cd 100644
--- a/test/results/ocsp.pcapng.out
+++ b/test/results/ocsp.pcapng.out
@@ -17,8 +17,8 @@
 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1623222785863296,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623222785875339,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADgGxC5cel\/rwKgBgABQqtACFmIrx0ULW6AScSDxGwAAAgQFtAQCCAqrs6x4tFZ4oAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8kYB7"}
 00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1623222785879381,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623222785879381,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0JGJAAEAGl9TAqAGAXHpf66rQAFDHRQtbAhZiLIAQAfaPAgAAAQEICrRWeLCrs6x4GYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcxJlyw=="}
 01122{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222785879661,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623222785879661,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"r3.o.lencr.org","http": {"url":"r3.o.lencr.org\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}}
-01824{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":70,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222699655905,"flow_src_last_pkt_time":1623222817722827,"flow_dst_last_pkt_time":1623222807485567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":394,"flow_dst_max_l4_payload_len":702,"flow_src_tot_l4_payload_len":788,"flow_dst_tot_l4_payload_len":1404,"midstream":0,"thread_ts_usec":1623222817722827,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3376,"avg":7529886.0,"max":10243102,"stddev":4272061.0,"var":18250505125888.0,"ent":4.5,"data": [3376,7013,7440,102951,109262,10007824,10012989,10151666,10151973,10240500,10240566,10243102,10242877,10236097,10235872,10239925,10240468,10239857,10239497,5617732,5617894,102927,109302,10148797,10155034,10236056,10236089,10239827,10239709,10239962,0,0]},"pktlen": {"min":118,"avg":187.0,"max":820,"stddev":189.1,"var":35745.5,"ent":4.5,"data": [126,126,118,512,118,820,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,512,118,820,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":13,"category":"Cloud"}}
-01830{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":105,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222906298417,"flow_dst_last_pkt_time":1623222896069773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":889,"flow_src_tot_l4_payload_len":772,"flow_dst_tot_l4_payload_len":1778,"midstream":0,"thread_ts_usec":1623222906298417,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":280,"avg":7440051.5,"max":10244049,"stddev":4398639.5,"var":19348030750720.0,"ent":4.5,"data": [12043,16085,280,19618,157130,176931,7779779,7796085,1344,16621,10045906,10060740,10239929,10239733,10239821,10240037,10244027,10243851,10239937,10239981,10236031,10236118,10243927,10244049,10235957,10235895,10239975,10239809,10240030,10240044,10239885,0]},"pktlen": {"min":118,"avg":198.2,"max":1007,"stddev":228.7,"var":52281.3,"ent":4.4,"data": [126,126,118,504,118,1007,118,504,118,1007,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01820{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":70,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222699655905,"flow_src_last_pkt_time":1623222817722827,"flow_dst_last_pkt_time":1623222807485567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":394,"flow_dst_max_l4_payload_len":702,"flow_src_tot_l4_payload_len":788,"flow_dst_tot_l4_payload_len":1404,"midstream":0,"thread_ts_usec":1623222817722827,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3376,"avg":7529886.0,"max":10243102,"stddev":4272061.0,"var":18250505125888.0,"ent":4.5,"data": [3376,7013,7440,102951,109262,10007824,10012989,10151666,10151973,10240500,10240566,10243102,10242877,10236097,10235872,10239925,10240468,10239857,10239497,5617732,5617894,102927,109302,10148797,10155034,10236056,10236089,10239827,10239709,10239962]},"pktlen": {"min":118,"avg":187.0,"max":820,"stddev":189.1,"var":35745.5,"ent":4.5,"data": [126,126,118,512,118,820,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,512,118,820,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":13,"category":"Cloud"}}
+01828{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":105,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222906298417,"flow_dst_last_pkt_time":1623222896069773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":889,"flow_src_tot_l4_payload_len":772,"flow_dst_tot_l4_payload_len":1778,"midstream":0,"thread_ts_usec":1623222906298417,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":280,"avg":7440051.5,"max":10244049,"stddev":4398639.5,"var":19348030750720.0,"ent":4.5,"data": [12043,16085,280,19618,157130,176931,7779779,7796085,1344,16621,10045906,10060740,10239929,10239733,10239821,10240037,10244027,10243851,10239937,10239981,10236031,10236118,10243927,10244049,10235957,10235895,10239975,10239809,10240030,10240044,10239885]},"pktlen": {"min":118,"avg":198.2,"max":1007,"stddev":228.7,"var":52281.3,"ent":4.4,"data": [126,126,118,504,118,1007,118,504,118,1007,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623223090984057,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223090984057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623223090984057,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223090984057,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623223090984057,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8WOFAAEAGCBnAqAGAl4uADoYQAFC9BO7MAAAAAKAC+vBq5AAAAgQFtAQCCArLCQstAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk1G4o"}
 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223091009779,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623223091009779,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADAGcPqXi4AOwKgBgABQhhCFN\/R2vQTuzaAS\/ohuswAAAgQFtAQCCAoBgn1XywkLLQEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKwfqN"}
@@ -39,7 +39,7 @@
 01129{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":161,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226796057242,"flow_dst_last_pkt_time":1623226796050182,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":387,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226796057242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.digicert.com","http": {"url":"ocsp.digicert.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}}
 00910{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":165,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623223090984057,"flow_src_last_pkt_time":1623223156058732,"flow_dst_last_pkt_time":1623223156084748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":393,"flow_dst_max_l4_payload_len":728,"flow_src_tot_l4_payload_len":393,"flow_dst_tot_l4_payload_len":1199,"midstream":0,"thread_ts_usec":1623226796065242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":165,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623223091709422,"flow_src_last_pkt_time":1623223156773701,"flow_dst_last_pkt_time":1623223156800666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":389,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":389,"flow_dst_tot_l4_payload_len":917,"midstream":0,"thread_ts_usec":1623226796065242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34340,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
-01810{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":189,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226898935296,"flow_dst_last_pkt_time":1623226888697884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623226898935296,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":297,"avg":6307708.5,"max":10240173,"stddev":4932344.5,"var":24328020164608.0,"ent":4.3,"data": [3075,7547,2588,10413,297,8000,10198565,10205648,10239932,10239686,10240046,10239807,10240147,10240173,10239675,10239894,594543,595404,7786,346,7916,7271,10142015,10148632,10239909,10240023,10239943,10239865,10239954,10239944,10239922,0]},"pktlen": {"min":118,"avg":229.7,"max":917,"stddev":247.8,"var":61420.8,"ent":4.4,"data": [126,126,118,505,118,917,118,118,118,118,118,118,118,118,118,118,118,505,917,118,505,917,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01808{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":189,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226898935296,"flow_dst_last_pkt_time":1623226888697884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623226898935296,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":297,"avg":6307708.5,"max":10240173,"stddev":4932344.5,"var":24328020164608.0,"ent":4.3,"data": [3075,7547,2588,10413,297,8000,10198565,10205648,10239932,10239686,10240046,10239807,10240147,10240173,10239675,10239894,594543,595404,7786,346,7916,7271,10142015,10148632,10239909,10240023,10239943,10239865,10239954,10239944,10239922]},"pktlen": {"min":118,"avg":229.7,"max":917,"stddev":247.8,"var":61420.8,"ent":4.4,"data": [126,126,118,505,118,917,118,118,118,118,118,118,118,118,118,118,118,505,917,118,505,917,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":208,"packets-processed":207,"total-skipped-flows":0,"total-l4-payload-len":19557,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":43,"global_ts_usec":1623227471703092}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227471703092,"flow_dst_last_pkt_time":1623227471703092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623227471703092,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1623227471703092,"flow_dst_last_pkt_time":1623227471703092,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623227471703092,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8CDlAAEAGLKrAqAGANFUPXMDmAFDpM3mLAAAAAKAC+vAljwAAAgQFtAQCCArD2jnWAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU0JsT"}
@@ -52,8 +52,8 @@
 00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1623227472218439,"flow_dst_last_pkt_time":1623227472214417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623227472218439,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0cD1AAEAGbnTAqAGAl2UCheoSAFClxR9WcxTjBIAQAfagEQAAAQEIClxJqx0CSmlaGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyyO91A=="}
 01149{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":218,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227472219362,"flow_dst_last_pkt_time":1623227472214417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623227472219362,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.globalsign.com","http": {"url":"ocsp.globalsign.com\/gsrsaovsslca2018","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}}
 00910{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":224,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":23,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226963037756,"flow_dst_last_pkt_time":1623226963033362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623227472228502,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
-01816{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227587349174,"flow_dst_last_pkt_time":1623227584757187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":1998,"midstream":0,"thread_ts_usec":1623227587349174,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":615,"avg":7851182.5,"max":10240632,"stddev":4240709.0,"var":17983611076608.0,"ent":4.5,"data": [3378,7400,923,8114,615,9140,10126876,10134843,10240392,10240491,10239169,10239578,10239933,10239705,10239910,10239519,10239942,10240185,10239877,10240084,10240632,10240175,10239571,10239443,10239518,10240005,10239975,10240013,2594877,0,0,0]},"pktlen": {"min":118,"avg":193.5,"max":1462,"stddev":263.0,"var":69147.6,"ent":4.3,"data": [126,126,118,519,118,1462,772,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
-01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":274,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227587366039,"flow_dst_last_pkt_time":1623227587361645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":1006,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":1006,"midstream":0,"thread_ts_usec":1623227587366039,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":379,"avg":7461984.0,"max":10240568,"stddev":4364520.0,"var":19049033498624.0,"ent":4.6,"data": [11963,16479,379,17094,109967,126649,9996419,10012379,10239928,10239783,10239896,10240232,10239903,10239633,10239951,10239961,10239904,10240133,10239949,10239714,10239909,10239972,10240568,10240566,10239801,10239750,10239347,10239527,3107000,3107879,16865,0]},"pktlen": {"min":118,"avg":162.3,"max":1124,"stddev":185.9,"var":34567.0,"ent":4.5,"data": [126,126,118,514,118,1124,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01810{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227587349174,"flow_dst_last_pkt_time":1623227584757187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":1998,"midstream":0,"thread_ts_usec":1623227587349174,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":615,"avg":7851182.5,"max":10240632,"stddev":4240709.0,"var":17983611076608.0,"ent":4.5,"data": [3378,7400,923,8114,615,9140,10126876,10134843,10240392,10240491,10239169,10239578,10239933,10239705,10239910,10239519,10239942,10240185,10239877,10240084,10240632,10240175,10239571,10239443,10239518,10240005,10239975,10240013,2594877]},"pktlen": {"min":118,"avg":193.5,"max":1462,"stddev":263.0,"var":69147.6,"ent":4.3,"data": [126,126,118,519,118,1462,772,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01829{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":274,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227587366039,"flow_dst_last_pkt_time":1623227587361645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":1006,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":1006,"midstream":0,"thread_ts_usec":1623227587366039,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":379,"avg":7461984.0,"max":10240568,"stddev":4364520.0,"var":19049033498624.0,"ent":4.6,"data": [11963,16479,379,17094,109967,126649,9996419,10012379,10239928,10239783,10239896,10240232,10239903,10239633,10239951,10239961,10239904,10240133,10239949,10239714,10239909,10239972,10240568,10240566,10239801,10239750,10239347,10239527,3107000,3107879,16865]},"pktlen": {"min":118,"avg":162.3,"max":1124,"stddev":185.9,"var":34567.0,"ent":4.5,"data": [126,126,118,514,118,1124,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":275,"packets-processed":274,"total-skipped-flows":0,"total-l4-payload-len":23358,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":8,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":8,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":57,"global_ts_usec":1623229632695852}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623229632695852,"flow_src_last_pkt_time":1623229632695852,"flow_dst_last_pkt_time":1623229632695852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623229632695852,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1623229632695852,"flow_dst_last_pkt_time":1623229632695852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623229632695852,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA82G5AAEAGQmzAqAGAbUbwcrHKAFDtwUNWAAAAAKAC+vAcMQAAAgQFtAQCCAoRKRyhAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZRLNb"}
@@ -68,7 +68,7 @@
 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":301,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1623229850972935,"flow_dst_last_pkt_time":1623229850968545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623229850972935,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0+slAAEAGBjXAqAGAFwxgkb+KAFDAJRPi2VU1H4AQAfZ\/KgAAAQEICo4eQkQG1UJIGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV7trsA=="}
 01127{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":302,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229850973410,"flow_dst_last_pkt_time":1623229850968545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623229850973410,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.entrust.net","http": {"url":"ocsp.entrust.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}}
 00911{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":320,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623229632695852,"flow_src_last_pkt_time":1623229697731607,"flow_dst_last_pkt_time":1623229697742645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":399,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":399,"flow_dst_tot_l4_payload_len":2325,"midstream":0,"thread_ts_usec":1623229853240025,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
-01779{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":330,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229914599193,"flow_dst_last_pkt_time":1623229904370774,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229914599193,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":4682294.0,"max":10241196,"stddev":4928712.5,"var":24292207099904.0,"ent":3.6,"data": [12234,16624,475,17773,3362,21718,1169650,1186786,9796,24736,1031529,1046686,2550,18982,10158449,10174381,10240180,10240467,10240694,10240443,10239931,10239902,10238718,10240083,10241196,0,0,0,0,0,0,0]},"pktlen": {"min":118,"avg":338.2,"max":1566,"stddev":431.7,"var":186386.9,"ent":4.2,"data": [126,126,118,504,118,1566,627,118,118,504,118,1566,627,118,118,505,118,1566,628,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":330,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229914599193,"flow_dst_last_pkt_time":1623229904370774,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229914599193,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":4682294.0,"max":10241196,"stddev":4928712.5,"var":24292207099904.0,"ent":3.6,"data": [12234,16624,475,17773,3362,21718,1169650,1186786,9796,24736,1031529,1046686,2550,18982,10158449,10174381,10240180,10240467,10240694,10240443,10239931,10239902,10238718,10240083,10241196]},"pktlen": {"min":118,"avg":338.2,"max":1566,"stddev":431.7,"var":186386.9,"ent":4.2,"data": [126,126,118,504,118,1566,627,118,118,504,118,1566,627,118,118,505,118,1566,628,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00911{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":22,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229968257993,"flow_dst_last_pkt_time":1623229968253231,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229968257993,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":344,"packets-processed":344,"total-skipped-flows":0,"total-l4-payload-len":33113,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":73,"global_ts_usec":1623229968257993}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -79,10 +79,10 @@
 ~~ total active/idle flows...: 10/10
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6061905 bytes
-~~ total memory freed........: 6061905 bytes
+~~ total memory allocated....: 6061865 bytes
+~~ total memory freed........: 6061865 bytes
 ~~ total allocations/frees...: 121969/121969
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1836 chars
-~~ json string avg len.......: 1163 chars
+~~ json string max len.......: 1834 chars
+~~ json string avg len.......: 1162 chars
diff --git a/test/results/ookla.pcap.out b/test/results/ookla.pcap.out
index 9bb302114..2fe3a4564 100644
--- a/test/results/ookla.pcap.out
+++ b/test/results/ookla.pcap.out
@@ -10,7 +10,7 @@
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1491069115107460,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1491069115144245,"pkt":"xCwDBkn+gCqojWksCABFAAA8AABAADMGWiUuLP27wKgBBx+QyA8qkdUorSOsy6ASOJC7tQAAAgQFrAQCCAp\/4XceDd4f9gEDAwU="}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1491069115144357,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491069115144357,"pkt":"gCqojWksxCwDBkn+CABFAAA0VElAAEAGAADAqAEHLiz9u8gPH5CtI6zLKpHVKYAQECztvQAAAQEICg3eIBp\/4Xce"}
 00861{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069115172347,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491069115172347,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
-01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069116003131,"flow_dst_last_pkt_time":1491069115908957,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":186,"midstream":0,"thread_ts_usec":1491069116003131,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":54747.4,"max":137734,"stddev":32631.2,"var":1064798016.0,"ent":4.7,"data": [36785,36897,27990,64017,72,36059,38392,72665,34304,27134,61863,34745,97665,133205,35538,27694,63063,35336,68477,103729,35275,26006,61113,35107,103239,137734,34506,32637,67251,34614,94056,0]},"pktlen": {"min":66,"avg":77.9,"max":100,"stddev":9.7,"var":93.7,"ent":5.0,"data": [78,74,66,69,66,100,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069116003131,"flow_dst_last_pkt_time":1491069115908957,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":186,"midstream":0,"thread_ts_usec":1491069116003131,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":54747.4,"max":137734,"stddev":32631.2,"var":1064798016.0,"ent":4.7,"data": [36785,36897,27990,64017,72,36059,38392,72665,34304,27134,61863,34745,97665,133205,35538,27694,63063,35336,68477,103729,35275,26006,61113,35107,103239,137734,34506,32637,67251,34614,94056]},"pktlen": {"min":66,"avg":77.9,"max":100,"stddev":9.7,"var":93.7,"ent":5.0,"data": [78,74,66,69,66,100,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00924{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2202,"flow_dst_packets_processed":2864,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069155086298,"flow_dst_last_pkt_time":1491069155251079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":883752,"flow_dst_tot_l4_payload_len":3462381,"midstream":0,"thread_ts_usec":1491069155251079,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":8,"flow_first_seen":1491069108756336,"flow_src_last_pkt_time":1491069114050266,"flow_dst_last_pkt_time":1491069114084923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":364,"flow_dst_max_l4_payload_len":457,"flow_src_tot_l4_payload_len":1434,"flow_dst_tot_l4_payload_len":1546,"midstream":0,"thread_ts_usec":1491069155251079,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51207,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Ookla","proto_id":"7.191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}}
 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","packets-captured":5086,"packets-processed":5086,"total-skipped-flows":0,"total-l4-payload-len":4349113,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1491069155251079}
@@ -22,10 +22,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6195063 bytes
-~~ total memory freed........: 6195063 bytes
+~~ total memory allocated....: 6195055 bytes
+~~ total memory freed........: 6195055 bytes
 ~~ total allocations/frees...: 126587/126587
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1716 chars
-~~ json string avg len.......: 1077 chars
+~~ json string max len.......: 1714 chars
+~~ json string avg len.......: 1076 chars
diff --git a/test/results/openvpn.pcap.out b/test/results/openvpn.pcap.out
index 90a82cd34..3b60dc208 100644
--- a/test/results/openvpn.pcap.out
+++ b/test/results/openvpn.pcap.out
@@ -5,14 +5,14 @@
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1467904946700231,"flow_dst_last_pkt_time":1467904946755145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1467904946755145,"pkt":"AA6OGXEMhCYVLjtSCABFoAA8AABAADQGbecuZefawKgBTQG76uxsxVWWvpV7n6AScSBx2QAAAgQFtAQCCAoANCgCAA17SwEDAwE="}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1467904946755184,"flow_dst_last_pkt_time":1467904946755145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1467904946755184,"pkt":"hCYVLjtSAA6OGXEMCABFAAA0ANZAAEAGYbnAqAFNLmXn2ursAbu+lXufbMVVl4AQOQjYsgAAAQEICgANe1AANCgC"}
 00994{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904947700508,"flow_dst_last_pkt_time":1467904947753377,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1467904947753377,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
-01847{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904948037674,"flow_dst_last_pkt_time":1467904948077757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":1940,"midstream":0,"thread_ts_usec":1467904948077757,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":87579.6,"max":997748,"stddev":233509.3,"var":54526590976.0,"ent":2.7,"data": [54914,54953,945324,997748,484,52895,181,76406,76231,41001,2720,125,43907,139,238,305,40498,40497,41001,40993,125,124,261,41001,40990,40292,40328,460,133,578,40117,0]},"pktlen": {"min":66,"avg":154.3,"max":371,"stddev":75.3,"var":5671.5,"ent":4.8,"data": [74,74,66,110,66,122,66,118,66,371,66,222,210,118,210,210,66,210,222,210,118,210,210,66,210,222,210,118,210,210,66,210]},"bins": {"c_to_s": [6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01845{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904948037674,"flow_dst_last_pkt_time":1467904948077757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":1940,"midstream":0,"thread_ts_usec":1467904948077757,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":87579.6,"max":997748,"stddev":233509.3,"var":54526590976.0,"ent":2.7,"data": [54914,54953,945324,997748,484,52895,181,76406,76231,41001,2720,125,43907,139,238,305,40498,40497,41001,40993,125,124,261,41001,40990,40292,40328,460,133,578,40117]},"pktlen": {"min":66,"avg":154.3,"max":371,"stddev":75.3,"var":5671.5,"ent":4.8,"data": [74,74,66,110,66,122,66,118,66,371,66,222,210,118,210,210,66,210,222,210,118,210,210,66,210,222,210,118,210,210,66,210]},"bins": {"c_to_s": [6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00556{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":96,"packets-processed":95,"total-skipped-flows":0,"total-l4-payload-len":9094,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1470218591746723}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591746723,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470218591746723,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591746723,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1470218591746723,"pkt":"mAyC0zx8AAjKQoXqCABFAABG3rhAAEARTXXAqCsMizuXiaIjNXAAMosJOLAsz\/G18BdPwJFmbjsSS62jkXMxe5OXItH+Y74AAAABV6HBXwAAAAAA"}
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":97,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"thread_ts_usec":1470218591941902,"pkt":"AAjKQoXqmAyC0zx8CABFAABSYIhAADIR2ZmLO5eJwKgrDDVwoiMAPhWBQPd\/wu\/b4j9X3sTI1WVNByO\/jAvlQThWMnDPrhMAAAABV6HBXwEAAAAAsCzP8bXwF08AAAAA"}
 00998{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":97,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":54,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":54,"midstream":0,"thread_ts_usec":1470218591941902,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1470218591942539,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1470218591942539,"pkt":"mAyC0zx8AAjKQoXqCABFAABO3uZAAEARTT\/AqCsMizuXiaIjNXAAOpZEKLAsz\/G18BdPyDdJemqNaU65YLasCHjnV9mH+DAAAAACV6HBXwEAAAAA93\/C79viP1c="}
-01851{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":127,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218592449269,"flow_dst_last_pkt_time":1470218592448973,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":2054,"midstream":0,"thread_ts_usec":1470218592449269,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":395,"avg":45316.0,"max":195816,"stddev":59561.3,"var":3547546112.0,"ent":3.9,"data": [195179,195816,838,177248,176180,535,476,500,395,473,450,98532,98585,29601,29590,19812,19831,411,519,50093,49983,29934,29992,20280,20221,9484,9461,38312,38344,31856,31865,0]},"pktlen": {"min":84,"avg":140.4,"max":345,"stddev":58.6,"var":3436.1,"ent":4.9,"data": [84,96,92,345,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":127,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218592449269,"flow_dst_last_pkt_time":1470218592448973,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":2054,"midstream":0,"thread_ts_usec":1470218592449269,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":395,"avg":45316.0,"max":195816,"stddev":59561.3,"var":3547546112.0,"ent":3.9,"data": [195179,195816,838,177248,176180,535,476,500,395,473,450,98532,98585,29601,29590,19812,19831,411,519,50093,49983,29934,29992,20280,20221,9484,9461,38312,38344,31856,31865]},"pktlen": {"min":84,"avg":140.4,"max":345,"stddev":58.6,"var":3436.1,"ent":4.9,"data": [84,96,92,345,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01044{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":51,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467905010834916,"flow_dst_last_pkt_time":1467905010834882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":4602,"flow_dst_tot_l4_payload_len":4492,"midstream":0,"thread_ts_usec":1470218600860349,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":179,"packets-processed":178,"total-skipped-flows":0,"total-l4-payload-len":19167,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1472334890224928}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334890224928,"flow_dst_last_pkt_time":1472334890224928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1472334890224928,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -20,7 +20,7 @@
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334890224928,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1472334892420816,"pkt":"mAyC0zx8MFLLbJwbCABFAABGfNNAAEARr1TAqCsSizuXiTVwNXAAMg7DOGYO4pqkkLBZptsOrY2Z8Me\/lrzRmp5vsU3x26QAAAACV8IMKgAAAAAA"}
 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334892467380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"thread_ts_usec":1472334892467380,"pkt":"MFLLbJwbmAyC0zx8CABFAABSgmRAADERuLeLO5eJwKgrEjVwNXAAPoh1QDWQheTdAi5E5ZNzw1yvtD56Ix7qRbnOSoCURYgAAAABV8IMLQEAAAAAZg7imqSQsFkAAAAA"}
 00999{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334892467380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":54,"flow_src_tot_l4_payload_len":84,"flow_dst_tot_l4_payload_len":54,"midstream":0,"thread_ts_usec":1472334892467380,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
-01859{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":210,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334893134977,"flow_dst_last_pkt_time":1472334893134900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1087,"flow_dst_tot_l4_payload_len":1962,"midstream":0,"thread_ts_usec":1472334893134977,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":187742.6,"max":2242452,"stddev":537269.1,"var":288658030592.0,"ent":2.4,"data": [2195888,2242452,46716,128,203103,15136,218070,621,558,521,518,3451,3482,185164,185172,417,398,39454,39467,9396,9396,82274,82279,3757,3775,34199,34189,15722,15714,74305,74299,0]},"pktlen": {"min":84,"avg":137.3,"max":345,"stddev":58.9,"var":3466.4,"ent":4.9,"data": [84,84,96,92,345,92,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01857{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":210,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334893134977,"flow_dst_last_pkt_time":1472334893134900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1087,"flow_dst_tot_l4_payload_len":1962,"midstream":0,"thread_ts_usec":1472334893134977,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":187742.6,"max":2242452,"stddev":537269.1,"var":288658030592.0,"ent":2.4,"data": [2195888,2242452,46716,128,203103,15136,218070,621,558,521,518,3451,3482,185164,185172,417,398,39454,39467,9396,9396,82274,82279,3757,3775,34199,34189,15722,15714,74305,74299]},"pktlen": {"min":84,"avg":137.3,"max":345,"stddev":58.9,"var":3466.4,"ent":4.9,"data": [84,84,96,92,345,92,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01047{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":248,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":49,"flow_dst_packets_processed":34,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218600860349,"flow_dst_last_pkt_time":1470218600859207,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1172,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":5802,"flow_dst_tot_l4_payload_len":4271,"midstream":0,"thread_ts_usec":1472334896789781,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01049{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":298,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":58,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334909464448,"flow_dst_last_pkt_time":1472334909465454,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1172,"flow_dst_max_l4_payload_len":1245,"flow_src_tot_l4_payload_len":8904,"flow_dst_tot_l4_payload_len":14228,"midstream":0,"thread_ts_usec":1472334909465454,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":298,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":298,"packets-processed":298,"total-skipped-flows":0,"total-l4-payload-len":42299,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":3,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1472334909465454}
@@ -32,10 +32,10 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049613 bytes
-~~ total memory freed........: 6049613 bytes
+~~ total memory allocated....: 6049601 bytes
+~~ total memory freed........: 6049601 bytes
 ~~ total allocations/frees...: 121807/121807
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
-~~ json string max len.......: 1864 chars
-~~ json string avg len.......: 1177 chars
+~~ json string max len.......: 1862 chars
+~~ json string avg len.......: 1176 chars
diff --git a/test/results/oracle12.pcapng.out b/test/results/oracle12.pcapng.out
index e9f91c946..646fed964 100644
--- a/test/results/oracle12.pcapng.out
+++ b/test/results/oracle12.pcapng.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038273 bytes
-~~ total memory freed........: 6038273 bytes
+~~ total memory allocated....: 6038269 bytes
+~~ total memory freed........: 6038269 bytes
 ~~ total allocations/frees...: 121508/121508
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/os_detected.pcapng.out b/test/results/os_detected.pcapng.out
index 3d797a212..867de6712 100644
--- a/test/results/os_detected.pcapng.out
+++ b/test/results/os_detected.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045928 bytes
-~~ total memory freed........: 6045928 bytes
+~~ total memory allocated....: 6045924 bytes
+~~ total memory freed........: 6045924 bytes
 ~~ total allocations/frees...: 121511/121511
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/ospfv2_add_new_prefix.pcap.out b/test/results/ospfv2_add_new_prefix.pcap.out
index f5dbbad78..a13dd5197 100644
--- a/test/results/ospfv2_add_new_prefix.pcap.out
+++ b/test/results/ospfv2_add_new_prefix.pcap.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035703 bytes
-~~ total memory freed........: 6035703 bytes
+~~ total memory allocated....: 6035699 bytes
+~~ total memory freed........: 6035699 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 506 chars
diff --git a/test/results/pgm.pcap.out b/test/results/pgm.pcap.out
index 58b8e49ed..a523c2768 100644
--- a/test/results/pgm.pcap.out
+++ b/test/results/pgm.pcap.out
@@ -5,7 +5,7 @@
 00820{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564815455078,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564815455078,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1654564816295763,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":129,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":129,"pkt_l4_len":95,"thread_ts_usec":1654564816295763,"pkt":"AQBeAAEviFH7P19UCABFAABzDnBAABRxH+0K9ECa6wABL9YlAHsEAAH0CvRAmtYlAF8AUenoAFHoKENTQQCABAAAbQAFAFBSSUNFAAAAAAAAAAAAAAAAAAAAAP\/\/AADXyjEBAQAAAAr0QJoAAAAANH8AAAAAAAABAAAAAQAAACoA"}
 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1654564816316549,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":127,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":127,"pkt_l4_len":93,"thread_ts_usec":1654564816316549,"pkt":"AQBeAAEviFH7P19UCABFAABxDoBAABRxH98K9ECa6wABL9YlAHsEAE8tCvRAmtYlAF0AUenpAFHoKENTQQCABAAAbQADAExPRwAAAAAAAAAAAAAAAAAAAAD\/\/wAA18oxAQEAAAAK9ECaAAAAAEJ\/AAAAAAAAAQAAAAEAAAAqAA=="}
-01681{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564817394846,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564817394846,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":16,"avg":62573.2,"max":840685,"stddev":155726.8,"var":24250839040.0,"ent":2.9,"data": [840685,20786,25,36771,5581,109,6559,20,17008,16,14904,14731,16,37275,29,168236,95027,1618,67043,1565,11009,51225,29,243023,25455,15996,6391,15033,3510,84,240009,0]},"pktlen": {"min":70,"avg":203.2,"max":1344,"stddev":214.8,"var":46132.5,"ent":4.6,"data": [70,129,127,321,1344,206,126,130,170,285,252,333,179,131,227,313,129,141,148,128,129,144,146,145,128,135,133,134,133,135,126,127]},"bins": {"c_to_s": [0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01679{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564817394846,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564817394846,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":16,"avg":62573.2,"max":840685,"stddev":155726.8,"var":24250839040.0,"ent":2.9,"data": [840685,20786,25,36771,5581,109,6559,20,17008,16,14904,14731,16,37275,29,168236,95027,1618,67043,1565,11009,51225,29,243023,25455,15996,6391,15033,3510,84,240009]},"pktlen": {"min":70,"avg":203.2,"max":1344,"stddev":214.8,"var":46132.5,"ent":4.6,"data": [70,129,127,321,1344,206,126,130,170,285,252,333,179,131,227,313,129,141,148,128,129,144,146,145,128,135,133,134,133,135,126,127]},"bins": {"c_to_s": [0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00871{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1000,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564894361003,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":162302,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564894361003,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1000,"source":"pgm.pcap","alias":"nDPId-test","packets-captured":1000,"packets-processed":1000,"total-skipped-flows":0,"total-l4-payload-len":162302,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1654564894361003}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6064617 bytes
-~~ total memory freed........: 6064617 bytes
+~~ total memory allocated....: 6064613 bytes
+~~ total memory freed........: 6064613 bytes
 ~~ total allocations/frees...: 122486/122486
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1686 chars
-~~ json string avg len.......: 1031 chars
+~~ json string max len.......: 1684 chars
+~~ json string avg len.......: 1030 chars
diff --git a/test/results/pgsql.pcap.out b/test/results/pgsql.pcap.out
index 8732e153a..8b8120642 100644
--- a/test/results/pgsql.pcap.out
+++ b/test/results/pgsql.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042500 bytes
-~~ total memory freed........: 6042500 bytes
+~~ total memory allocated....: 6042492 bytes
+~~ total memory freed........: 6042492 bytes
 ~~ total allocations/frees...: 121538/121538
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/pim.pcap.out b/test/results/pim.pcap.out
index 067f4d031..8e76effc2 100644
--- a/test/results/pim.pcap.out
+++ b/test/results/pim.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035907 bytes
-~~ total memory freed........: 6035907 bytes
+~~ total memory allocated....: 6035903 bytes
+~~ total memory freed........: 6035903 bytes
 ~~ total allocations/frees...: 121496/121496
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/pinterest.pcap.out b/test/results/pinterest.pcap.out
index 12806b516..f3bf6e8b4 100644
--- a/test/results/pinterest.pcap.out
+++ b/test/results/pinterest.pcap.out
@@ -13,7 +13,7 @@
 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713761186,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289713761745,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01217{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713802900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289713802900,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 02997{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713802981,"flow_dst_last_pkt_time":1605289713803139,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289713803139,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}}
-01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13934.5,"max":172415,"stddev":32920.5,"var":1083758080.0,"ent":2.7,"data": [17629,17683,505,39969,1745,1,2,41182,41,13,234,2,175,23,26,7012,281,424,41621,1,1,33877,492,1,473,243,41960,172415,2,1,0,0]},"pktlen": {"min":86,"avg":378.1,"max":1134,"stddev":421.4,"var":177613.6,"ent":4.2,"data": [94,94,86,603,86,1134,1134,1134,86,86,86,1134,1134,168,86,86,86,179,185,451,86,86,344,86,152,86,86,124,86,1134,1134,563]},"bins": {"c_to_s": [10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1]}}
+01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13934.5,"max":172415,"stddev":32920.5,"var":1083758080.0,"ent":2.7,"data": [17629,17683,505,39969,1745,1,2,41182,41,13,234,2,175,23,26,7012,281,424,41621,1,1,33877,492,1,473,243,41960,172415,2,1]},"pktlen": {"min":86,"avg":378.1,"max":1134,"stddev":421.4,"var":177613.6,"ent":4.2,"data": [94,94,86,603,86,1134,1134,1134,86,86,86,1134,1134,168,86,86,86,179,185,451,86,86,344,86,152,86,86,124,86,1134,1134,563]},"bins": {"c_to_s": [10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1]}}
 03000{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}}
 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714142423,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714142423,"pkt":"qtsDr8lk5EKm5WPyht1gBvDPACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAACElnABu5Qp1R0AAAAAoAL9IJUzAAACBAWgBAIICtZiIAMAAAAAAQMDBw=="}
@@ -63,7 +63,7 @@
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714250997,"flow_dst_last_pkt_time":1605289714250997,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714250997,"pkt":"qtsDr8lk5EKm5WPyht1gCIReACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAC5WYBu2PBi7kDA7Y3gBAB9bhLAAABAQgKDEf\/5cK4cls="}
 00789{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":161,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714251006,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714251006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289714251006,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:13e2","src_port":34626,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714251006,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714251006,"pkt":"qtsDr8lk5EKm5WPyht1gCQO3ACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RPih0IBu\/o5BzSfc9\/MgBAB9chlAAABAQgK4ziLg8K4a4Y="}
-01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":193,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714260622,"flow_dst_last_pkt_time":1605289714260607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":954,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2837,"flow_dst_tot_l4_payload_len":7034,"midstream":0,"thread_ts_usec":1605289714260622,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7879.4,"max":53871,"stddev":14938.4,"var":223155888.0,"ent":3.0,"data": [29210,29304,461,30605,2146,1,1,1,32223,44,9,7,7205,255,2012,156,139,311,354,53871,1,222,1,43618,1326,1,1343,231,798,527,0,0]},"pktlen": {"min":86,"avg":395.0,"max":1474,"stddev":486.9,"var":237029.2,"ent":4.1,"data": [94,94,86,603,86,1474,1474,1474,1244,86,86,86,86,179,185,377,397,364,1040,342,86,86,86,344,86,152,86,86,86,124,1474,86]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":193,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714260622,"flow_dst_last_pkt_time":1605289714260607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":954,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2837,"flow_dst_tot_l4_payload_len":7034,"midstream":0,"thread_ts_usec":1605289714260622,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7879.4,"max":53871,"stddev":14938.4,"var":223155888.0,"ent":3.0,"data": [29210,29304,461,30605,2146,1,1,1,32223,44,9,7,7205,255,2012,156,139,311,354,53871,1,222,1,43618,1326,1,1343,231,798,527]},"pktlen": {"min":86,"avg":395.0,"max":1474,"stddev":486.9,"var":237029.2,"ent":4.1,"data": [94,94,86,603,86,1474,1474,1474,1244,86,86,86,86,179,185,377,397,364,1040,342,86,86,86,344,86,152,86,86,86,124,1474,86]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":212,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714250965,"flow_dst_last_pkt_time":1605289714281312,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714281312,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuBhOqRBG+Jl1nfgBAm9NLhAAABAQgKwrkiYM+oHbQ="}
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":213,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714250997,"flow_dst_last_pkt_time":1605289714288930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714288930,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgLAAAAAAAAIAIqAcsBIEmLB5kd7IUo3\/YpAbvlZgMDtjdjwYu6gBAMIRHEAAABAQgKwrkiZwxF7DU="}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714288932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714288932,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAKzZE+IqAcsBIEmLB5kd7IUo3\/YpAbuHQp9z38z6OQc1gBALjSOBAAABAQgKwrkiaOM2b+4="}
@@ -84,20 +84,20 @@
 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714658043,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714697878,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuCAAsx4c9qQ0l9oBJXgI0UAAACBAV4AQMDAwQCCArCuSQBz6oz\/w=="}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1605289714697936,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714697936,"pkt":"qtsDr8lk5EKm5WPyht1gCBesACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUggABu2pDSX0LMeHQgBAB+xD+AAABAQgKz6o0J8K5JAE="}
 01165{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":544,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714698324,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714698324,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":573,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289714590794,"flow_src_last_pkt_time":1605289714712098,"flow_dst_last_pkt_time":1605289714737758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":4645,"midstream":0,"thread_ts_usec":1605289714737758,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9250.6,"max":43788,"stddev":14140.2,"var":199945248.0,"ent":3.4,"data": [26021,26034,177,34476,9474,43788,3,51,24,2375,110,130,39176,1,238,310,37117,263,3095,2873,7183,1,7144,49,3,681,625,589,26257,0,0,0]},"pktlen": {"min":86,"avg":265.0,"max":1294,"stddev":327.8,"var":107441.1,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,303,86,150,178,409,86,86,86,666,86,117,117,86,507,832,281,86,86,86,125,86,125,86]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":573,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289714590794,"flow_src_last_pkt_time":1605289714712098,"flow_dst_last_pkt_time":1605289714737758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":4645,"midstream":0,"thread_ts_usec":1605289714737758,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9250.6,"max":43788,"stddev":14140.2,"var":199945248.0,"ent":3.4,"data": [26021,26034,177,34476,9474,43788,3,51,24,2375,110,130,39176,1,238,310,37117,263,3095,2873,7183,1,7144,49,3,681,625,589,26257]},"pktlen": {"min":86,"avg":265.0,"max":1294,"stddev":327.8,"var":107441.1,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,303,86,150,178,409,86,86,86,666,86,117,117,86,507,832,281,86,86,86,125,86,125,86]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01225{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":575,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714698324,"flow_dst_last_pkt_time":1605289714739608,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289714739608,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 03005{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":583,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":7,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714739677,"flow_dst_last_pkt_time":1605289714740234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289714740234,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}}
 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714782619,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714782619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714782619,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714782619,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqIAAAAAoAL9IEOtAAACBAWgBAIICnRgZN4AAAAAAQMDBw=="}
-01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":639,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289714795031,"flow_dst_last_pkt_time":1605289714793606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1778,"flow_dst_tot_l4_payload_len":5802,"midstream":0,"thread_ts_usec":1605289714795031,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16865.0,"max":132689,"stddev":30676.7,"var":941058048.0,"ent":3.1,"data": [23500,23520,222,32278,1902,1,33966,35,25,324,242,8,1731,75,102,35078,5741,3731,1,42641,14,135,39228,93613,132689,1225,118,74,0,0,0,0]},"pktlen": {"min":86,"avg":323.4,"max":1294,"stddev":401.1,"var":160869.7,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,86,86,86,1294,187,86,86,150,178,465,86,86,666,117,86,86,86,117,86,344,86,125,243,585]},"bins": {"c_to_s": [11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":639,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289714795031,"flow_dst_last_pkt_time":1605289714793606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1778,"flow_dst_tot_l4_payload_len":5802,"midstream":0,"thread_ts_usec":1605289714795031,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16865.0,"max":132689,"stddev":30676.7,"var":941058048.0,"ent":3.1,"data": [23500,23520,222,32278,1902,1,33966,35,25,324,242,8,1731,75,102,35078,5741,3731,1,42641,14,135,39228,93613,132689,1225,118,74]},"pktlen": {"min":86,"avg":323.4,"max":1294,"stddev":401.1,"var":160869.7,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,86,86,86,1294,187,86,86,150,178,465,86,86,666,117,86,86,86,117,86,344,86,125,243,585]},"bins": {"c_to_s": [11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":692,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714832909,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoETkIAHQAAAAAAAAAAByAqAcsBIEmLB5kd7IUo3\/YpAbve2qyyOFrOS7qjoBJXgB0bAAACBAV4AQMDAwQCCArCuSSHdGBk3g=="}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":693,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1605289714832956,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714832956,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqOssjhbgBAB+6D6AAABAQgKdGBlEMK5JIc="}
 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714833176,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01198{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":870,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714867730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289714867730,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 03423{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":876,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714868409,"flow_dst_last_pkt_time":1605289714869584,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5552,"midstream":0,"thread_ts_usec":1605289714869584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}}
-01572{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15923.9,"max":89623,"stddev":23339.0,"var":544706624.0,"ent":3.3,"data": [39835,39893,388,39880,1850,1,41296,35,60,18,4,565,563,29,2922,2605,564,39805,119,1086,1924,36819,15,203,49740,40102,89623,0,0,0,0,0]},"pktlen": {"min":86,"avg":314.8,"max":1134,"stddev":374.8,"var":140490.0,"ent":4.2,"data": [94,94,86,603,86,1134,1134,86,86,1134,1134,86,86,1134,168,86,86,179,185,382,86,86,86,344,152,86,86,124,86,530,260,86]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0]}}
+01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15923.9,"max":89623,"stddev":23339.0,"var":544706624.0,"ent":3.3,"data": [39835,39893,388,39880,1850,1,41296,35,60,18,4,565,563,29,2922,2605,564,39805,119,1086,1924,36819,15,203,49740,40102,89623]},"pktlen": {"min":86,"avg":314.8,"max":1134,"stddev":374.8,"var":140490.0,"ent":4.2,"data": [94,94,86,603,86,1134,1134,86,86,1134,1134,86,86,1134,168,86,86,179,185,382,86,86,86,344,152,86,86,124,86,530,260,86]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0]}}
 03008{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}}
-01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9244.2,"max":50337,"stddev":16381.3,"var":268348496.0,"ent":2.9,"data": [50290,50337,220,31719,3102,34561,13,675,659,1179,1,1182,11,2643,116,155,32346,1,29460,6,548,1,514,15,6,589,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":512.7,"max":1474,"stddev":595.9,"var":355070.7,"ent":4.1,"data": [94,94,86,603,86,1474,1474,86,86,1474,86,1474,1219,86,86,179,185,454,86,86,86,344,152,86,86,1474,1474,1474,86,86,86,1474]},"bins": {"c_to_s": [12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1]}}
+01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9244.2,"max":50337,"stddev":16381.3,"var":268348496.0,"ent":2.9,"data": [50290,50337,220,31719,3102,34561,13,675,659,1179,1,1182,11,2643,116,155,32346,1,29460,6,548,1,514,15,6,589]},"pktlen": {"min":86,"avg":512.7,"max":1474,"stddev":595.9,"var":355070.7,"ent":4.1,"data": [94,94,86,603,86,1474,1474,86,86,1474,86,1474,1219,86,86,179,185,454,86,86,86,344,152,86,86,1474,1474,1474,86,86,86,1474]},"bins": {"c_to_s": [12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1]}}
 03428{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}}
 00796{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715133578,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715133578,"pkt":"qtsDr8lk5EKm5WPyht1gAUyOACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACADyX4Bu+HPmfcAAAAAoAL9IJHxAAACBAWgBAIICjiITggAAAAAAQMDBw=="}
@@ -117,9 +117,9 @@
 01175{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3667,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715301671,"flow_dst_last_pkt_time":1605289715301345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715301671,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"connect.facebook.net","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01204{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3797,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715274121,"flow_dst_last_pkt_time":1605289715321807,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289715321807,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3820,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715301671,"flow_dst_last_pkt_time":1605289715333684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1380,"midstream":0,"thread_ts_usec":1605289715333684,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"connect.facebook.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715335705,"flow_dst_last_pkt_time":1605289715335669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":9735,"midstream":0,"thread_ts_usec":1605289715335705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16842.4,"max":76867,"stddev":27411.8,"var":751406272.0,"ent":2.8,"data": [76818,76867,1845,47286,29961,75361,6,2,2110,577,1618,47934,88,1,1,1,1,43713,12,4,2,3,3,4,0,0,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":421.6,"max":1294,"stddev":486.0,"var":236213.0,"ent":4.2,"data": [94,94,86,603,86,1294,1294,356,86,86,86,150,178,400,86,86,86,666,117,484,1294,1294,1294,1294,1294,86,86,86,86,86,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4871,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715430506,"flow_dst_last_pkt_time":1605289715430565,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10223,"midstream":0,"thread_ts_usec":1605289715430565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13919.2,"max":79486,"stddev":22440.7,"var":503587040.0,"ent":3.3,"data": [51607,51735,639,27991,20462,1,47699,14,8,3349,184,136,69956,1,28,13172,79486,329,8681,8388,16746,3,2,2,16717,40,14,21,164,2,0,0]},"pktlen": {"min":86,"avg":436.1,"max":1294,"stddev":496.1,"var":246097.6,"ent":4.2,"data": [94,94,86,603,86,1294,1294,326,86,86,86,150,178,347,86,86,86,666,86,117,117,86,1002,1294,1294,1294,86,86,86,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5465,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715471680,"flow_dst_last_pkt_time":1605289715427326,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1347,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1605289715471680,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11676.3,"max":93180,"stddev":22011.3,"var":484498880.0,"ent":3.0,"data": [26987,27077,236,32338,1,32042,17,3873,399,116,64739,93180,2,1,290,2,3,2,24343,46,12,9,157,3,2,82,23,41,4388,39879,0,0]},"pktlen": {"min":86,"avg":285.0,"max":1466,"stddev":368.4,"var":135732.3,"ent":4.2,"data": [94,94,86,603,86,1466,993,86,86,150,178,344,344,86,86,86,265,166,130,667,86,86,86,86,497,1466,128,86,86,86,117,213]},"bins": {"c_to_s": [12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01686{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715335705,"flow_dst_last_pkt_time":1605289715335669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":9735,"midstream":0,"thread_ts_usec":1605289715335705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16842.4,"max":76867,"stddev":27411.8,"var":751406272.0,"ent":2.8,"data": [76818,76867,1845,47286,29961,75361,6,2,2110,577,1618,47934,88,1,1,1,1,43713,12,4,2,3,3,4]},"pktlen": {"min":86,"avg":421.6,"max":1294,"stddev":486.0,"var":236213.0,"ent":4.2,"data": [94,94,86,603,86,1294,1294,356,86,86,86,150,178,400,86,86,86,666,117,484,1294,1294,1294,1294,1294,86,86,86,86,86,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4871,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715430506,"flow_dst_last_pkt_time":1605289715430565,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10223,"midstream":0,"thread_ts_usec":1605289715430565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13919.2,"max":79486,"stddev":22440.7,"var":503587040.0,"ent":3.3,"data": [51607,51735,639,27991,20462,1,47699,14,8,3349,184,136,69956,1,28,13172,79486,329,8681,8388,16746,3,2,2,16717,40,14,21,164,2]},"pktlen": {"min":86,"avg":436.1,"max":1294,"stddev":496.1,"var":246097.6,"ent":4.2,"data": [94,94,86,603,86,1294,1294,326,86,86,86,150,178,347,86,86,86,666,86,117,117,86,1002,1294,1294,1294,86,86,86,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5465,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715471680,"flow_dst_last_pkt_time":1605289715427326,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1347,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1605289715471680,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11676.3,"max":93180,"stddev":22011.3,"var":484498880.0,"ent":3.0,"data": [26987,27077,236,32338,1,32042,17,3873,399,116,64739,93180,2,1,290,2,3,2,24343,46,12,9,157,3,2,82,23,41,4388,39879]},"pktlen": {"min":86,"avg":285.0,"max":1466,"stddev":368.4,"var":135732.3,"ent":4.2,"data": [94,94,86,603,86,1466,993,86,86,150,178,344,344,86,86,86,265,166,130,667,86,86,86,86,497,1466,128,86,86,86,117,213]},"bins": {"c_to_s": [12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715782853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715782853,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715782853,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715782853,"pkt":"qtsDr8lk5EKm5WPyht1gAWIEACgGQCoBywEgSYsHmR3shSjf9ikqAyiA8R8Ag\/rOsAwAACXe67QBu2RbtWoAAAAAoAL9IBbyAAACBAWgBAIICmcfa8wAAAAAAQMDBw=="}
 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6878,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715833903,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715833903,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoDKIDxHwCD+s6wDAAAJd4qAcsBIEmLB5kd7IUo3\/YpAbvrtAAp+EJkW7VroBJXgNkoAAACBAV4AQMDAwQCCArCuShfZx9rzA=="}
@@ -137,16 +137,16 @@
 00896{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9522,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716168715,"flow_dst_last_pkt_time":1605289716168715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":158,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":158,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289716168715,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00729{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9523,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1605289716168917,"flow_dst_last_pkt_time":1605289716168715,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":209,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":209,"pkt_l4_len":155,"thread_ts_usec":1605289716168917,"pkt":"qtsDr8lk5EKm5WPyht1gB32\/AJsGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACADqioBu9lanJS\/4e68gBgE1YEBAAABAQgKZPSVcMK4jAQXAwMAT0+KQ56NjlMHGW+d6G5ddduewRHnDyQJNOhFGSBeS16m4KVAja7XHlyuQrxKoq24Sn8bLVvUYgiRl0ogV926yAF+\/eBnK0DefdFCPgWpP6kXAwMAIh\/Eke2gVwnwKuWIWa9HbFAoJdRk5f1TigycRztSwvhmbFo="}
 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9663,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1605289716168917,"flow_dst_last_pkt_time":1605289716192184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289716192184,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgFAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbuqKr\/h7rzZWpyUgBALf8h0AAABAQgKwrkp2GT0lXA="}
-01691{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9768,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716199465,"flow_dst_last_pkt_time":1605289716199511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":281,"flow_dst_tot_l4_payload_len":21058,"midstream":1,"thread_ts_usec":1605289716199511,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2461.8,"max":28590,"stddev":7061.6,"var":49866864.0,"ent":1.8,"data": [202,23469,160,5107,2,28590,251,1,1,2,214,4,31,19,391,1,1,397,8,1304,1,1316,72,1,1,0,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":752.8,"max":1294,"stddev":578.2,"var":334348.7,"ent":4.5,"data": [244,209,86,86,277,1294,86,1294,1294,1294,1294,86,86,1294,1294,86,1294,1294,1294,1294,86,86,1294,1294,251,125,213,86,1294,1294,1294,1294]},"bins": {"c_to_s": [7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01677{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9768,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716199465,"flow_dst_last_pkt_time":1605289716199511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":281,"flow_dst_tot_l4_payload_len":21058,"midstream":1,"thread_ts_usec":1605289716199511,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2461.8,"max":28590,"stddev":7061.6,"var":49866864.0,"ent":1.8,"data": [202,23469,160,5107,2,28590,251,1,1,2,214,4,31,19,391,1,1,397,8,1304,1,1316,72,1,1]},"pktlen": {"min":86,"avg":752.8,"max":1294,"stddev":578.2,"var":334348.7,"ent":4.5,"data": [244,209,86,86,277,1294,86,1294,1294,1294,1294,86,86,1294,1294,86,1294,1294,1294,1294,86,86,1294,1294,251,125,213,86,1294,1294,1294,1294]},"bins": {"c_to_s": [7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00797{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717548570,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289717548570,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717548570,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289717548570,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD4AAAAAoAL9ID+FAAACBAWgBAIICjGG9eUAAAAAAQMDBw=="}
 00573{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14613,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289717572004,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIA0qAcsBIEmLB5kd7IUo3\/YpAbufvovR75juz2g\/oBJXgHfiAAACBAV4AQMDAwQCCArCuS86MYb15Q=="}
 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14614,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1605289717572182,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289717572182,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD+L0e+ZgBAB+\/vbAAABAQgKMYb1\/cK5Lzo="}
 01164{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14615,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717572787,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289717572787,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"accounts.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01209{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14617,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717572787,"flow_dst_last_pkt_time":1605289717605090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289717605090,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"accounts.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14635,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289715966342,"flow_src_last_pkt_time":1605289717653626,"flow_dst_last_pkt_time":1605289716195463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":4020,"midstream":0,"thread_ts_usec":1605289717653626,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200a","src_port":47790,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":68443.0,"max":1485939,"stddev":273484.9,"var":74793992192.0,"ent":1.6,"data": [55481,55557,2604,45080,17803,15,60231,16,286,275,9398,2484,606,42880,228,1,30633,193,14864,14650,23014,23014,8,85,70,1606,29384,1485939,0,0,0,0]},"pktlen": {"min":86,"avg":252.1,"max":1294,"stddev":317.7,"var":100919.6,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,587,86,150,178,458,86,86,86,666,86,117,117,86,476,149,86,86,125,86,86,125,86,251]},"bins": {"c_to_s": [11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14645,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717681759,"flow_dst_last_pkt_time":1605289717681662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":10121,"midstream":0,"thread_ts_usec":1605289717681759,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9182.1,"max":42968,"stddev":13199.7,"var":174232352.0,"ent":3.5,"data": [23434,23612,605,27825,5261,2,32335,48,7,3191,171,159,42968,880,1,157,40413,894,3393,2534,21369,1,21337,22,7799,1,1,7829,32,0,0,0]},"pktlen": {"min":86,"avg":432.8,"max":1294,"stddev":492.4,"var":242485.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,336,86,86,86,150,178,341,86,86,86,666,86,117,117,86,890,1294,86,86,1294,1294,1294,1294,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14705,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289717682629,"flow_dst_last_pkt_time":1605289717754541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1620,"flow_dst_tot_l4_payload_len":4362,"midstream":0,"thread_ts_usec":1605289717754541,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":133498.8,"max":1522186,"stddev":376551.6,"var":141791068160.0,"ent":2.3,"data": [51050,51117,702,184290,1,183671,66,7538,8559,3870,48706,3,10603,1,1,39192,55,6,1700,5826,4025,34675,42375,77042,1489773,1522186,1,32460,71970,0,0,0]},"pktlen": {"min":86,"avg":273.4,"max":1466,"stddev":363.6,"var":132225.8,"ent":4.1,"data": [94,94,86,603,86,1466,994,86,86,150,178,456,86,86,86,257,166,117,86,86,86,117,121,86,86,506,86,632,86,121,86,1388]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14635,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289715966342,"flow_src_last_pkt_time":1605289717653626,"flow_dst_last_pkt_time":1605289716195463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":4020,"midstream":0,"thread_ts_usec":1605289717653626,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200a","src_port":47790,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":68443.0,"max":1485939,"stddev":273484.9,"var":74793992192.0,"ent":1.6,"data": [55481,55557,2604,45080,17803,15,60231,16,286,275,9398,2484,606,42880,228,1,30633,193,14864,14650,23014,23014,8,85,70,1606,29384,1485939]},"pktlen": {"min":86,"avg":252.1,"max":1294,"stddev":317.7,"var":100919.6,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,587,86,150,178,458,86,86,86,666,86,117,117,86,476,149,86,86,125,86,86,125,86,251]},"bins": {"c_to_s": [11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14645,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717681759,"flow_dst_last_pkt_time":1605289717681662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":10121,"midstream":0,"thread_ts_usec":1605289717681759,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9182.1,"max":42968,"stddev":13199.7,"var":174232352.0,"ent":3.5,"data": [23434,23612,605,27825,5261,2,32335,48,7,3191,171,159,42968,880,1,157,40413,894,3393,2534,21369,1,21337,22,7799,1,1,7829,32]},"pktlen": {"min":86,"avg":432.8,"max":1294,"stddev":492.4,"var":242485.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,336,86,86,86,150,178,341,86,86,86,666,86,117,117,86,890,1294,86,86,1294,1294,1294,1294,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14705,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289717682629,"flow_dst_last_pkt_time":1605289717754541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1620,"flow_dst_tot_l4_payload_len":4362,"midstream":0,"thread_ts_usec":1605289717754541,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":133498.8,"max":1522186,"stddev":376551.6,"var":141791068160.0,"ent":2.3,"data": [51050,51117,702,184290,1,183671,66,7538,8559,3870,48706,3,10603,1,1,39192,55,6,1700,5826,4025,34675,42375,77042,1489773,1522186,1,32460,71970]},"pktlen": {"min":86,"avg":273.4,"max":1466,"stddev":363.6,"var":132225.8,"ent":4.1,"data": [94,94,86,603,86,1466,994,86,86,150,178,456,86,86,86,257,166,117,86,86,86,117,121,86,86,506,86,632,86,121,86,1388]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289718346936,"flow_src_last_pkt_time":1605289718346936,"flow_dst_last_pkt_time":1605289718346936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289718346936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":56940,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1605289718346936,"flow_dst_last_pkt_time":1605289718346936,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289718346936,"pkt":"qtsDr8lk5EKm5WPyht1gDn7LACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3mwBu1MbKQQ2nwhTgBBf5ZGnAAABAQgKdGByysK4e5A="}
 00797{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14834,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289718347032,"flow_src_last_pkt_time":1605289718347032,"flow_dst_last_pkt_time":1605289718347032,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289718347032,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51472,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -193,8 +193,8 @@
 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733006105,"flow_dst_last_pkt_time":1605289733059043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289733059043,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 03003{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16230,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733059060,"flow_dst_last_pkt_time":1605289733060311,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5322,"midstream":0,"thread_ts_usec":1605289733060311,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}}
 01226{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16506,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733019850,"flow_dst_last_pkt_time":1605289733177092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289733177092,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"www.google-analytics.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":16731,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":18775.5,"max":157269,"stddev":37764.8,"var":1426178688.0,"ent":2.7,"data": [46894,46909,201,112030,45428,2,157269,9,5,2935,270,2964,37660,1,1100,1,32562,12,3,631,955,1,308,7,3,3,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":427.0,"max":1294,"stddev":486.7,"var":236885.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,563,86,86,86,150,178,351,86,86,86,666,500,1294,86,86,86,117,1294,1294,1294,1294,86,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
-01571{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":27300.3,"max":135965,"stddev":41843.3,"var":1750865408.0,"ent":3.2,"data": [46509,46553,392,49783,3591,52945,10,1267,1,1272,3,2358,266,496,109019,1,1,105909,5,6,6499,35807,111148,135965,1,2,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":444.6,"max":1474,"stddev":544.3,"var":296293.8,"ent":4.1,"data": [94,94,86,603,86,1474,1474,86,86,1474,1244,86,86,179,185,352,86,86,344,152,86,584,86,86,86,124,86,224,86,1474,1474,1474]},"bins": {"c_to_s": [9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1]}}
+01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":16731,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":18775.5,"max":157269,"stddev":37764.8,"var":1426178688.0,"ent":2.7,"data": [46894,46909,201,112030,45428,2,157269,9,5,2935,270,2964,37660,1,1100,1,32562,12,3,631,955,1,308,7,3,3]},"pktlen": {"min":86,"avg":427.0,"max":1294,"stddev":486.7,"var":236885.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,563,86,86,86,150,178,351,86,86,86,666,500,1294,86,86,86,117,1294,1294,1294,1294,86,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
+01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":27300.3,"max":135965,"stddev":41843.3,"var":1750865408.0,"ent":3.2,"data": [46509,46553,392,49783,3591,52945,10,1267,1,1272,3,2358,266,496,109019,1,1,105909,5,6,6499,35807,111148,135965,1,2]},"pktlen": {"min":86,"avg":444.6,"max":1474,"stddev":544.3,"var":296293.8,"ent":4.1,"data": [94,94,86,603,86,1474,1474,86,86,1474,1244,86,86,179,185,352,86,86,344,152,86,584,86,86,86,124,86,224,86,1474,1474,1474]},"bins": {"c_to_s": [9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1]}}
 03007{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}}
 00791{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733399863,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289733399863,"pkt":"qtsDr8lk5EKm5WPyht1gBe6sACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXpunLIBuwBxlgkAAAAAoAL9IKzvAAACBAWgBAIICsW6TI0AAAAAAQMDBw=="}
@@ -203,7 +203,7 @@
 01143{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":17597,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733420828,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733421383,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17600,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733466833,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289733466833,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 03067{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17606,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733466898,"flow_dst_last_pkt_time":1605289733468841,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289733468841,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}}
-01567{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":6845.7,"max":45476,"stddev":12150.2,"var":147627232.0,"ent":3.2,"data": [20965,21014,506,37100,8905,1,45476,39,2004,2,1,1,1959,29,12,7,90,33,7803,454,394,31006,1,387,1,22756,38,359,8296,2575,2,0]},"pktlen": {"min":86,"avg":391.7,"max":1134,"stddev":441.2,"var":194656.5,"ent":4.2,"data": [94,94,86,603,86,1134,1134,86,86,1134,1134,1134,1134,86,86,86,86,127,86,179,185,356,86,86,344,152,86,86,124,86,1134,1134]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1]}}
+01565{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":6845.7,"max":45476,"stddev":12150.2,"var":147627232.0,"ent":3.2,"data": [20965,21014,506,37100,8905,1,45476,39,2004,2,1,1,1959,29,12,7,90,33,7803,454,394,31006,1,387,1,22756,38,359,8296,2575,2]},"pktlen": {"min":86,"avg":391.7,"max":1134,"stddev":441.2,"var":194656.5,"ent":4.2,"data": [94,94,86,603,86,1134,1134,86,86,1134,1134,1134,1134,86,86,86,86,127,86,179,185,356,86,86,344,152,86,86,124,86,1134,1134]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1]}}
 03070{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}}
 00899{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289734948586,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00797{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289734948586,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -267,8 +267,8 @@
 ~~ total active/idle flows...: 37/37
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7679142 bytes
-~~ total memory freed........: 7679142 bytes
+~~ total memory allocated....: 7678994 bytes
+~~ total memory freed........: 7678994 bytes
 ~~ total allocations/frees...: 140736/140736
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/pluralsight.pcap.out b/test/results/pluralsight.pcap.out
index e89180909..11bddd1e9 100644
--- a/test/results/pluralsight.pcap.out
+++ b/test/results/pluralsight.pcap.out
@@ -55,8 +55,8 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6103395 bytes
-~~ total memory freed........: 6103395 bytes
+~~ total memory allocated....: 6103371 bytes
+~~ total memory freed........: 6103371 bytes
 ~~ total allocations/frees...: 121633/121633
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
diff --git a/test/results/pop3.pcap.out b/test/results/pop3.pcap.out
index 6f96a7b76..207df7a39 100644
--- a/test/results/pop3.pcap.out
+++ b/test/results/pop3.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038635 bytes
-~~ total memory freed........: 6038635 bytes
+~~ total memory allocated....: 6038631 bytes
+~~ total memory freed........: 6038631 bytes
 ~~ total allocations/frees...: 121520/121520
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/pop3_stls.pcap.out b/test/results/pop3_stls.pcap.out
index 0dc48a855..2c3501a92 100644
--- a/test/results/pop3_stls.pcap.out
+++ b/test/results/pop3_stls.pcap.out
@@ -8,7 +8,7 @@
 01116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810349671,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":149,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":225,"midstream":0,"thread_ts_usec":1346096810351879,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01118{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":8,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810420652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":1685,"midstream":0,"thread_ts_usec":1346096810420652,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":11,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810421794,"flow_dst_last_pkt_time":1346096810490233,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":4965,"midstream":0,"thread_ts_usec":1346096810490233,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
-01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":262973.8,"max":2072094,"stddev":524859.6,"var":275477528576.0,"ent":3.3,"data": [68193,68972,68661,120626,119751,1003135,1075317,72544,524,70840,70284,69545,70981,215,69915,69104,262,69187,6957,114416,36010,229437,154000,2002867,2072094,69067,658,117241,116699,68875,75810,0]},"pktlen": {"min":54,"avg":248.5,"max":1514,"stddev":417.0,"var":173868.9,"ent":3.8,"data": [66,66,54,65,60,60,82,60,60,203,60,91,222,1514,1514,54,1514,414,54,368,60,292,85,60,107,85,60,222,98,103,96,103]},"bins": {"c_to_s": [9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1]}}
+01600{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":262973.8,"max":2072094,"stddev":524859.6,"var":275477528576.0,"ent":3.3,"data": [68193,68972,68661,120626,119751,1003135,1075317,72544,524,70840,70284,69545,70981,215,69915,69104,262,69187,6957,114416,36010,229437,154000,2002867,2072094,69067,658,117241,116699,68875,75810]},"pktlen": {"min":54,"avg":248.5,"max":1514,"stddev":417.0,"var":173868.9,"ent":3.8,"data": [66,66,54,65,60,60,82,60,60,203,60,91,222,1514,1514,54,1514,414,54,368,60,292,85,60,107,85,60,222,98,103,96,103]},"bins": {"c_to_s": [9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1]}}
 01120{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01150{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":53,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":30,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096814309972,"flow_dst_last_pkt_time":1346096814377321,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":805,"flow_dst_tot_l4_payload_len":7462,"midstream":0,"thread_ts_usec":1346096814377321,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":53,"source":"pop3_stls.pcap","alias":"nDPId-test","packets-captured":53,"packets-processed":53,"total-skipped-flows":0,"total-l4-payload-len":8267,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1346096814377321}
@@ -20,10 +20,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6055468 bytes
-~~ total memory freed........: 6055468 bytes
+~~ total memory allocated....: 6055464 bytes
+~~ total memory freed........: 6055464 bytes
 ~~ total allocations/frees...: 121552/121552
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 1607 chars
-~~ json string avg len.......: 1033 chars
+~~ json string max len.......: 1605 chars
+~~ json string avg len.......: 1032 chars
diff --git a/test/results/pops.pcapng.out b/test/results/pops.pcapng.out
index 6001cca27..2aafed055 100644
--- a/test/results/pops.pcapng.out
+++ b/test/results/pops.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042317 bytes
-~~ total memory freed........: 6042317 bytes
+~~ total memory allocated....: 6042313 bytes
+~~ total memory freed........: 6042313 bytes
 ~~ total allocations/frees...: 121496/121496
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/pps.pcap.out b/test/results/pps.pcap.out
index 9e2647461..ad46df5c4 100644
--- a/test/results/pps.pcap.out
+++ b/test/results/pps.pcap.out
@@ -25,16 +25,16 @@
 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136440581,"flow_dst_last_pkt_time":1467353136440165,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1467353136440581,"pkt":"TF4M6gNlABxCjnAxCABFAABBf0AAAIARQDrAqHMI2+RrnFkJBOIALQK82oCeu7tQQPUjL7WiHx8fHhoTSt7f39\/fs\/\/\/\/\/\/\/\/\/\/7O8Q7\/w=="}
 01929{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136439495,"flow_dst_last_pkt_time":1467353136451735,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136451735,"pkt":"ABxCjnAxTF4M6gNlCABFAARFKL0AAHkRbnJyKgCewKhzCB4kWQkEMQAA5YSwlpa05Mz2MVewhoaCw8Hl+3pZtoju6+vr60s2NjY2NjY2Mvku7QuOheQK9+NWgE7h2muxGM8D4DLm\/5x\/1\/JkPV6l86b3frCbpFSV7e2oOEkA4r\/bSCXhW8qYH5FqZgI6H822zV3AiRFliRCzdnIUkAPC4PeWFP8SV27xJ8xbxdt32Kzd8xhvmCkAgFUGD2aDXcaHo\/t3xxnKLSSA2No89lgZtTN6aTV4hYqd8hyVjK50Td7AS5rauDqcBz+RRXO4T+EAR5e7iDWXURHfR8EdQTfwsVkGPPWQFWZnZXoFkiluRuLCi6QTHJ\/wv2anzG520CpgomFFVPifWxBY1yo+25yZEvPeAFUPD9JwFSkkY+renkyqaouITdp\/U5xCqpe0AiGnlKCVH+BXW1qBJEl+erh8fAIyCpGCzFIqJ4Pmf9KyHWQyO4dZwZwHlnZ9L\/lCDYLl+5l+PyECs5D7mp401ix6MgQniSKHDqSvAoHhct48Iil039ISc4jtlzQP8VPwMzO9dm5pliz3vR0jeva2ymZtvGZZHTgf3Z20dDWyQbeaMA4XFPN2Dgy4dZttatnu9U\/U8ZcatdkKiTvqlJM38cgX5B7bCcpaNF6r3DNkDbHSWu4IAdS0k86zdu0VLwc0p8Sl4c42gst9OSqI2bgJaWokPPfPasrMJYfwhCW3ctsOEbYyz0tCOtujPD4KQzVdsNsD0KynxPfIWPXEi4xkfSsHXTRIuDUuPSCaFsBafpHRF0UphHR7Pno40CdJL751OfYk6pKOpNzNQbZZEehR+La+0h5w1JnTzl9xMmPBQfRhxB4vL3mFDo0xuCa+sNfqgmrXE4E39PE8sZpsHdLuGNschu3yhzgir1zABCnBIEcAyJ82rPj3RhxSQcuNkKpNPC9UtYHqYQAABjUJAANMAPSIAAAAACcBAAAAAAADQwGe+7MifwCEzAhiIBeWLxdoIrozlE8XeJKfA0uhUzS6uAS7Ddrnl5s0qHmNYhCP2pZ1KZuNwa9ptwEToJwndi6+1zT0Em8ViTT0l\/PGSsXOdNwvfrI1hMghxy4hD5qdkALJ90LEYzn1\/xjQkHRWjEqhjaHkpFzfnyr5yWlcpJ2H9l+D4J2fKYI45G95h2VWJS7e1cWbomHCJsHbzbwx2JxLcpC+eYkeCHz\/iclfVtYP\/E28eKUh+dQCQYHOCX1RgjhnndoYo4d9RCXRRhGqFWhuoX9Qkc6+q3FSYirrEYByX9CjozjqMmFBqri7DW7e\/A+Gtc1g4ZuGpzSVp4JMgIJcfPSA7z3zPWPYvTFuhpOQgZePdrYomcO3Fkae11rDSLaGWDnRLMyo5ZgKRiA5vOsVB0rF\/WA2Lanl39fkOuqzI5Mbb9\/2jAmNrToXgJUbWeGPhzwYtVlwp5b6KSwdvPQ0HH0AAAAA"}
 01940{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440581,"flow_dst_last_pkt_time":1467353136470091,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136470091,"pkt":"ABxCjnAxTF4M6gNlCABFKARFVaEAAGURgK3b5GucwKhzCATiWQkEMdtFzISZv79URPEnK7GmGxsfXlyX4U4GsCimp6enp++jo6Ojo6OjpwDlWJTX1\/VR7NYrdZ8iw9hBVil1k3qsvepXHXvuMV4G4bY\/7FqHvHs6hWOCtrl3tuHHM3btfKlPjHjmmUJV9saYFG3shSVoHte4TwNPMs8Ihb+6CEl1C4ObFOV4cpEdSIpnRG\/HdCceK8v\/Yg4PX\/Y3QMZhvFEU\/aVfhwhsv41eQ1iaeG2UXEuD2KZKuPG0Tgd2x\/\/tZFf\/VtlLdZpCBJDKFeYnvEIiDsaQ7dS9bFDybOYNbQRsYlx4vdyTOQyZ9dWmPET9vKjX1C1s5QZnSJoAVU1k1fd+paH9lthbdOTYV7CKfmZy3IzKX6sKff+RpApDAs9XUVsB\/Kp1xnqFYTqzs3FAeAm8rVpI58rJM8tLYvBzAVaqwWhzIf0knXhYOVChXWhxhnaR46DwmBmHtJbiZv7kcOHpGmw+JJHvLbH\/9nhmnSxbGrTLXYrvdoMK+D4qHDYoKhCNTIqWr1x293NU\/irKFwQ77pDnFDMZGstHu45rqJzQRBnDBT\/RxyhgJlDUXZwbrBOWk54R3+0H9X8sCxCU0jByFfSreAvTxm9L5EmXKYI8LBBvn\/d30\/LgaB6FNc4qu7jT84ssBEc4Sde9KkWIkQ9UcCUBqIo85pR8QX8kwMAUE9Vcnxj57ZjyFlfvbMafZbPzw+dZdNM9fJdU8+vQ+8KnnRDAUrxC0dliIt8ifC7hLDk3kAHMA7BE6g0bZ4gKU2bjGJ5eqtWzSHnyBo9+hOrXUdoMDG36GRAle0bMitZabac6i0\/+Mrc9jBP2RSaKhfdrf32XNFopOiSbtB8JEk62kQAwm3uKD\/cndXhTvcem\/vXUa6xKv1Frofj24dy17GRlDqkS8zOCOsgMmzcCqauXneUes0mhMZCc9njZscArmdX7uWek8HqED71jcZoIG1kr11Cg3WkHBfBWlPOeDTI0fJIwZxYbBfKfY7EMdzylN\/T3aJ\/sPvpdQK4lQzeH+aKhhm7ycILBiO3aKE1LvOZknkff\/LsUxbrtpRqj1ADo4brAsYbrHyBbLtaVTGouvIRQUlMIYcYFiFwkOQDQMNEIKnN+TSbLptXblUGCNwJpX5f5Uk0\/QKmerhQPRa0UsG5OCykWNYoPSuMcfAD2GFF3wbR9U2X2Dk7cPApHN7NPhHT+sX\/QASfuLzjacAvs7KnfBVDkcL+5ODhe7XfUHprXAEc9YbqO3IYocMewPBVwRrw3TVJ5IZApjiX3IvBTM7IR1VIPJyyWgHQvzKJoZqrxDWR17vV38taeyJFoOUGl5V1tf+ulF2vCSr3JRzT5Tl+zLn+Qs\/hENB\/LIaOr0SiIhS\/XloJHeYuFn+yTXg8JXdPPH4UKKpKyF6kn+u\/7tG6FjsqJRu3WcAEAAAAA"}
-01542{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2605.6,"max":13556,"stddev":4035.9,"var":16288762.0,"ent":3.7,"data": [306,331,2951,1986,4674,337,125,2,561,612,2012,866,221,1880,1060,119,11920,11824,91,13556,13473,115,2750,2611,216,1278,998,122,1608,1850,320,0]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1107,79,79,1107,1107,79,79,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]}}
+01540{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2605.6,"max":13556,"stddev":4035.9,"var":16288762.0,"ent":3.7,"data": [306,331,2951,1986,4674,337,125,2,561,612,2012,866,221,1880,1060,119,11920,11824,91,13556,13473,115,2750,2611,216,1278,998,122,1608,1850,320]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1107,79,79,1107,1107,79,79,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]}}
 00809{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
-01546{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":2455.7,"max":12554,"stddev":3705.5,"var":13730790.0,"ent":3.8,"data": [314,12554,12553,190,1137,940,141,1586,1472,244,2060,1844,332,694,598,286,1704,1051,140,3586,5819,415,11908,9064,111,1248,1392,110,1452,1075,107,0]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]}}
+01544{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":2455.7,"max":12554,"stddev":3705.5,"var":13730790.0,"ent":3.8,"data": [314,12554,12553,190,1137,940,141,1586,1472,244,2060,1844,332,694,598,286,1704,1051,140,3586,5819,415,11908,9064,111,1248,1392,110,1452,1075,107]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]}}
 00807{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":104,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136483217,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483217,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353136483217,"l3_proto":"ip4","src_ip":"183.228.182.44","dst_ip":"192.168.115.8","src_port":13913,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1467353136483217,"pkt":"ABxCjnAxTF4M6gNlCABFAABJGboAAG4RkSi35LYswKhzCDZZWQkANUuZLYBpf39e0v7fca+OwsfHOTl\/IikLCQkWAAkJKytvb9HBysr2yjYJCAYGBiUA"}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":106,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483414,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1467353136483414,"pkt":"TF4M6gNlABxCjnAxCABFAABHf1sAAIARGYnAqHMIt+S2LFkJNlkAMzZRK4B+aGhJxenIZriZ1dfXqamg+fjwxMU1UFBQXFw8PHdzc3Nzc\/PMztbWAA=="}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483605,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1467353136483605,"pkt":"TF4M6gNlABxCjnAxCABFAABHf1sAAIARGYnAqHMIt+S2LFkJNlkAMzZRK4B+aGhJxenIZriZ1dfXqamg+fjwxMU1UFBQXFw8PHdzc3Nzc\/PMztbWAA=="}
 01930{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440579,"flow_dst_last_pkt_time":1467353136492484,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136492484,"pkt":"ABxCjnAxTF4M6gNlCABFKARFCXUAAGcRqYjexYoMwKhzCBssWQkEMdp11oSDpaWH1\/\/FAmSDtbWx8PLexT66472RkJCQkDRPT09PT09PS5jNKDDUtGPhLFjohGWYT2j8j83amDkrhZ3C\/2FQ5mdZnyaSlXvpTSw4QxzPKc\/1ppy0r1eRZI5oJ+p2dayL0dtYIRXg5e6MWgrC2be0L7w5uHO8F004aYCv4P9CJMUAHJpWAbSrTZTMfEtWFyfDkj7YkHwaP5UymM6nR48L2gXFeKkUsAfFE4YdqOFx0jp7Or60QKwF28+F5JlmKheAIJYQf2G3TqQY5Z0GTRcqhNLIOvYwJHCg1nj9RsIaYrnxmJ6DxwmjdzptTsT9sVdTMbkTg\/n2nGJhiOefKm8zFCoYHgU+C28Gf5sas1vu\/kt+OthMjccEo9wtGlC0ASPJ0qzS1sLHzYCsHMKDTYi9DD4foBrLZIc7pPx6JY6jOITQrc3efMsbAqZ1ZQQ9kAdp5K3mgsg3YJ0Q8Y0QZBWPHmxflGMFEMjHsP3GqPpnIAikccEmWg4o7+4F7KjVV7AVvTEyzA+8jQ1VrBrX5u+RVR9KG1O2SE5Cyq01BIwBHkezcDDf26H5C97IBIVRHEUN9a1I634tVX2hvonn9B8R7ucHFtbPm8v8XEfv5vsQiUBxdkQr4DEWqI+9efmJ7QzhmvbgsfQT\/lgyVKjuV7xATyGBulDT7mIFhQJis3fW7N6AP3W7D2NaqruF2RCWxjuAfiDF7FqVCRQStQiec12qDWggWFa5YJPYeAg3DNJYZLcxFww8J70\/Eg39+xjHkW\/GOLYez3x9FJNy88bzEiJFYwCTWUZnK3jDBLUaCFieNDFzqoKVzt+\/kSz+C3mshabnALJ2aYVnyWRkGVGRIw3S0WoTq9YykqwMV24Kk34rk9VX0xjIdoKqUAQsTP2sFY10R\/tU6R54Bq6N20vbHw0423rQBfXYTLF76muZ+5yrUbSgYHUxbnjBnVjpbbDNFDv1NDIURH8hFLeWNAsNZtLNHUp97veG5JCgSoBcNWrf5g+qs\/mmuRkZFHQLGQXlFjnHqt7DW7888AHgw3u4CiGUSrJzphDpfCWP0RgDn299d2Ril0LC8MhkTRLsCefsDfyp9t55XHR0+9rQ12xOawr2Gfk1nM+UlkyzEfd1uzpXju7BlNw\/XaM1RcvL26zFCGpLkhelssxeXpe1oStGT9+fgo5vRALSMf096AIfzKDk\/NbnZpnXY4r7ISHMeE5wJVp6Hs0TJswp0xbpQzaMzYGEvxoAbPu5kOZ9OipaPQfGALzzv2q6QmKKpdI3AnIh4LIO1vipAjAuDPqLWlCAnhJDj80pV4njf5FGejVXyupeYtcRvfudhBQ8G2H+16vYuNtcP3OV14wpgh5uQQEZwbFNlX+Dnyt\/qoHM45o25wYs9\/IAm40Qt01817PU8SGdpYVifHQAgAAA"}
-01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":8516.5,"max":26979,"stddev":8440.4,"var":71240384.0,"ent":4.1,"data": [354,233,4927,176,24291,18871,121,5388,6873,160,19127,17570,126,13829,13759,135,13082,15439,116,26979,24414,172,9012,10973,385,1993,887,14115,8282,98,12123,0]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1107,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0]}}
+01558{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":8516.5,"max":26979,"stddev":8440.4,"var":71240384.0,"ent":4.1,"data": [354,233,4927,176,24291,18871,121,5388,6873,160,19127,17570,126,13829,13759,135,13082,15439,116,26979,24414,172,9012,10973,385,1993,887,14115,8282,98,12123]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1107,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0]}}
 00811{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":340,"source":"pps.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136616772,"flow_src_last_pkt_time":1467353136616772,"flow_dst_last_pkt_time":1467353136616772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353136616772,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50462,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"pps.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136616772,"flow_dst_last_pkt_time":1467353136616772,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1467353136616772,"pkt":"TF4M6gNlABxCjnAxCABFAAAof6tAAIAGbhvAqHMIymwO7MUeAFC+iLxRSK1JylAQQRKO+AAA"}
@@ -42,7 +42,7 @@
 01942{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":387,"source":"pps.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440580,"flow_dst_last_pkt_time":1467353136640432,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1109,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1109,"pkt_l4_len":1075,"thread_ts_usec":1467353136640432,"pkt":"ABxCjnAxTF4M6gNlCABFKARHPvMAAGwRBbvKxgdZwKhzCD6nWQkEM7bwtIThx8fltZ2nYAbh19fDgoHFsbOz05H7ys7Ozs7OUjMzMzMzMzM3d32QGgSgl3utg\/Lr9hRf++0ikCQTv4qzjqE0Vwx53Ozi5DZHrUJ0D9ld80WV2ev0tZtZRKXgAoVPxGV\/sVzgH4xC6HL79R7mq5iPtdzW66QMOgYGr3SE8p+G4rKdTYea586Ro7AY6bM28Jh0I5r5TVTI2fUcSzHV34y5S7zxuN9s2gdR+G2nAQ9di580b0fnOVMCMbQS0YymBcyPOk\/TMuDcu3jPoKDTMgO9S0s0IYLNh3NTzcMZuYatUE10g0vqD2WlKxR1edSPZQFM4WX\/I8oWPKSn5CmnWCJgNchgz7RCWXFcarMT+ited1xm8MkWOvZ2PeUCHfQ1MuOuLpD7j5mhw07uokSIlTUFQAnPCELFA5Psd1zbcuid+es8QtEP8h5Pg5ROnoUYgwG\/AmXnw02rh0T218tbI40AgvHe3fXoohnR3eOl8fPl6Tin6Gi3A066NBegsFeRPVSX+gHnt5FK1bZ00Z5WDtXOvCRcLb\/+iWvY\/Ph9J25OZG\/H6f9hZv6bNXwaaIuHTCkt2zE30xNgGrL5fP\/qsPXo4QVw4df\/AHUUWn7DNhotAyglmhZHHHx2D76uvfRLfpDX45nAOTU0aQzIlAkbjeL9MiunISwrfsUiGGi77jizTx7AZjJwIN9X0xB729dePDFW3iOjEJKi6wwqiXtgjp0Qn4ycT8aj3higqkAdmCf6viBeUxA4Ey0XJs8LeWlBWrWLGrAVX\/syUvSc0Qnt7hgTis34opRC9MgH7uPb+CPcACWQ4PyqMfFoB93v48Hj+r9dC9ONTO9C\/ktt3YfWgupPKQW8qdqTDsSYNY4LtVldBymEKQFgcafM+ACwgYLH3rkh38VWSezZwGc\/KyCgGlonrmjhRAudSNJrjk2I5hAwMjl3+Su91K1EqYBwzJUW5Alu89DYvHVV54Y1uiDfno+vg9g2pOTv9qD\/obGNrCOfIKiGoGknOiYUYI9eRr\/Qs1peKBmW\/7D5fFEEUzXzGE\/77OK829Wr420Sgnl\/\/9UHV4dxNEpg7Umuc4f16HFagvn7eaQRFd2LphIs7VvTz82qi7A\/OZJVG8fQa21CCaNp\/VwpaOYvMyyVi6a19f21I+oFHfTzAOIIV1wwifq0aAqUb5BxGVtvBKoejKKSwLl6F5F2DDKztCmxmzs\/WdQTTScN896khxt4jB6c6Mtj512hCjnKbeZFmlvfg6SdAKpUxQ3Gx6Yz3l9WLMoFQ3S6GdtYorTUz4zvLoxi+9EUFhpvg1ZrQIfeIXH93JJ0H9uwkye148Sa+dodTKDlcRbxOKd9fiM3Owhw5\/cz2k47y3guqZHbBfAcDjAReQ92\/933ihS1JB7je3wazbY+fsqer0ZQzO0QaggAAAA="}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":644,"source":"pps.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136757007,"flow_src_last_pkt_time":1467353136757007,"flow_dst_last_pkt_time":1467353136757007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353136757007,"l3_proto":"ip4","src_ip":"192.168.5.15","dst_ip":"68.233.253.133","src_port":65125,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":644,"source":"pps.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136757007,"flow_dst_last_pkt_time":1467353136757007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1467353136757007,"pkt":"TF4M6gNlKDc3Alz6CABFAAA0AHFAAEAGMi3AqAUPROn9hf5lAFBsGPTh5ZgTx4AREAFu8AAAAQEICiYbPvkrIgZe"}
-01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":23509.2,"max":69635,"stddev":21390.8,"var":457567520.0,"ent":4.2,"data": [416,29926,29688,118,32027,32808,298,45715,281,69635,23035,67,41991,41569,116,35956,327,59526,23042,142,31796,32196,302,44442,309,68337,22748,167,30877,30767,160,0]},"pktlen": {"min":79,"avg":336.0,"max":1107,"stddev":445.1,"var":198147.0,"ent":4.0,"data": [79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0]}}
+01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":23509.2,"max":69635,"stddev":21390.8,"var":457567520.0,"ent":4.2,"data": [416,29926,29688,118,32027,32808,298,45715,281,69635,23035,67,41991,41569,116,35956,327,59526,23042,142,31796,32196,302,44442,309,68337,22748,167,30877,30767,160]},"pktlen": {"min":79,"avg":336.0,"max":1107,"stddev":445.1,"var":198147.0,"ent":4.0,"data": [79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0]}}
 00809{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":765,"source":"pps.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136833095,"flow_src_last_pkt_time":1467353136833095,"flow_dst_last_pkt_time":1467353136833095,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":108,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":108,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":108,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353136833095,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"218.61.39.103","src_port":22793,"dst_port":17788,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":765,"source":"pps.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136833095,"flow_dst_last_pkt_time":1467353136833095,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":150,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":150,"pkt_l4_len":116,"thread_ts_usec":1467353136833095,"pkt":"TF4M6gNlABxCjnAxCABFAACIADsAAIARBNXAqHMI2j0nZ1kJRXwAdM6LbABEsXEiUCg6x2bnNgAAAQADAAAAwKhzCAlZCtIsqwEGdAZ0b\/pmQpw8UwQ938xDXiteKyTtmkXcENwQJOknUZ5InkhvdWVRsieyJz3jqlgDTwNPynAfWaJVkHF5+IVd1THVMQGvgGhBFEEU"}
@@ -124,7 +124,7 @@
 00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":819,"source":"pps.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838373,"flow_dst_last_pkt_time":1467353136837852,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838373,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFQAAIARBODAqHMI2j0nV1kJRXwAYC8EWABVcnEAAAAAx2bnNgcAAAAAAAAAFJfHSwLp2roy68F8GXs9tGoAAAAAGAAAAAYAAAANKAICAAAAAwAYAMCocwgJWRcAAAsKAAAAAAAlAfAI8dQdAAAAAA=="}
 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":820,"source":"pps.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838373,"flow_dst_last_pkt_time":1467353136838051,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838373,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFUAAIARCQHAqHMId7yFtlkJRXwAYCbMWABVcnEAAAAA4pCy\/AcAAAAAAAAAFAQbslmKl2DoSDdZBZ9sSucAAAAAAAAAAAYIAAANKAICAAAADQAYAMCocwgJWRcAABIKAAAAAAAlAcgIZPMJAAAAAA=="}
 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":821,"source":"pps.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838374,"flow_dst_last_pkt_time":1467353136838171,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838374,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFYAAIARp8zAqHMItz2naFkJRXwAYEeGWABVcnEAAAAAyMXU\/wcAAAAAAAAAFADpSP+bPHc9KoW3YGEXtKMAAAAAAAAAAAYIAAANKAIBAAAACAAYAMCocwgJWRcAACUKAAAAAAAlActw35cdAAAAAA=="}
-01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":28697.5,"max":108044,"stddev":30689.6,"var":941853376.0,"ent":4.0,"data": [939,52844,52258,255,55452,67,77746,21970,217,78270,79276,484,437,117,46524,44383,93,18436,18537,325,35971,83,108044,71536,720,28274,507,45891,16142,358,33466,0]},"pktlen": {"min":61,"avg":303.3,"max":1107,"stddev":425.3,"var":180865.5,"ent":3.9,"data": [79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,79,79,1107,79,79,61]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1]}}
+01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":28697.5,"max":108044,"stddev":30689.6,"var":941853376.0,"ent":4.0,"data": [939,52844,52258,255,55452,67,77746,21970,217,78270,79276,484,437,117,46524,44383,93,18436,18537,325,35971,83,108044,71536,720,28274,507,45891,16142,358,33466]},"pktlen": {"min":61,"avg":303.3,"max":1107,"stddev":425.3,"var":180865.5,"ent":3.9,"data": [79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,79,79,1107,79,79,61]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1]}}
 00808{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":994,"source":"pps.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353138757317,"flow_src_last_pkt_time":1467353138757317,"flow_dst_last_pkt_time":1467353138757317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353138757317,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"101.227.200.11","src_port":50463,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 02195{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":994,"source":"pps.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1467353138757317,"flow_dst_last_pkt_time":1467353138757317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353138757317,"pkt":"TF4M6gNlABxCjnAxCABFAAUUA1lAAIAGkOvAqHMIZePIC8UfAFBKp6EFWDmKmFAQ\/\/B9QgAAR0VUIC90cmFjazI\/YT0xJmFzPTE7MiwzOzQsNSZiPTE0NjczNTMxMzgmYz1hZTg3Y2IzY2ZkZjQ5NGFhNDhkYzYwODkwOWY2OTI1MCZjdj01LjIuMTUuMjI0MCZkPTUwMDAwMDA4NTg4NzQmZHI9MjE3NSZmPTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4Jmc9MF9hYW9lZmR0cWdmZGVweGMydG52M3BpdWNnY2I0ZW9mbiZoPSZpPXFjXzEwMDAwMV8xMDAxNDAmaXY9MCZqPTMxJms9MTgwOTMyMzAxJmtwPTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4Jm49NDc5NTMxMDAwJm89MSZwPTEwMDAwMDAwMDAzODEmcT01MDAwMDAwOTI3NTU4JnI9YzQ4ODllNjRhZDlkOWVlYjlmZjQzODkxMDg1MGM0NDImcnQ9MTQ2NzM1MzExMyZzPWFlYTU2YTgwOGZjOTJlZjM2MDUxOTEyMTk0OGUwZjI3JnN2PTQuMTAuMDA0JnU9MSZ1cD0mdj01MDAwMDAwODU5MTI0JnZlPTEmdz0yLDMgSFRUUC8xLjENCkFjY2VwdC1MYW5ndWFnZTogemgtQ04NClJlZmVyZXI6IGh0dHA6Ly93d3cuaXFpeWkuY29tL2NvbW1vbi9mbGFzaHBsYXllci8yMDE0MDkyNC9NYWluUGxheWVyXzVfMl8zX2MzXzJfMV82LnN3Zg0KcXlpZDogYWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4NCnF5cGlkOiBfMjAxMg0KcXlwbGF0Zm9ybTogMC0yDQp4LWZsYXNoLXZlcnNpb246IDEyLDAsMCw3MA0KQWNjZXB0OiAqLyoNClByYWdtYTogbm8tY2FjaGUNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA4LjA7IFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKS9RWS1QbGF5ZXItV2luZG93cy8yLjAuMTAyDQpIb3N0OiBhcGkuY3VwaWQuaXFpeWkuY29tDQpDb29raWU6IHBwc19jbGllbnRfdmVyMj01LjIuMTUuMjI0MDsgVDAwNDA0PTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4OyBfcHBzX2l2aT1WazQ5TVRZd05UQTFMYVcvcFBtaFJ6OC9QNlRhcEVlbXVEOC9wTSt3Wmo4dHBMV3gzemd3cGxvL3BHYW9jU1pXVUQweEpsWkRQVDgvUHo4K3BMV3gzemd3cGxvL3BHYW9jU1pXU2owdE1TWldVejFRSmxaRVBTWldWRnRCWFQweU1UYzFKbFpOUFNaV1ZqMDFMakl1TVRVdU1qSTBNQ1pXVlQxb2RIUndPaTh2ZDNkM0xtbHhhWGxwTG1OdmJTOTJYekU1Y25K"}
@@ -355,7 +355,7 @@
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189363217,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":892,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":892,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353189363217,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50504,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_packet_id":1,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":946,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":946,"pkt_l4_len":912,"thread_ts_usec":1467353189363217,"pkt":"TF4M6gNlABxCjnAxCABFAAOkLbJAAIAGvJjAqHMIymwO7MVIAFBYgFOZMQ8QiVAYQTddVQAAR0VUIC9jcDIuZ2lmP2E9NGUzYWU0MTVhNTg0NzQ4YWM5YWEzMTYyOGYzOWQxZTgmYWk9JmFzPTE6NDU6MjN8NDUmYXY9NC4xMC4wMDQmYj0xODA5MzIzMDEmYz0zMSZjdD01MDAwMDAwOTIzNDQ3JmQ9MjE3NSZkaT0mZHA9NzEwMDAwMDEmZT1jNDg4OWU2NGFkOWQ5ZWViOWZmNDM4OTEwODUwYzQ0MiZlYz0mZW09JmZpPSZnPTAmbD1NVEU0TGpFMk15NDRMamt3Jm1rPSZudz0mb2Q9NTAwMDAwMDg1NDkzNCZvaT0mcD1hJnBwPSZyYz0mcmQ9JnJpPSZzPTE0NjczNTMxODcwNTMmc2g9JnNxPSZzdz0mdD0zcSZ1PTBfYWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4mdj00Nzk1MzEwMDAmdnY9NS4yLjE1LjIyNDAmeD0meT1xY18xMDAwMDFfMTAwMTQwIEhUVFAvMS4xDQpBY2NlcHQtTGFuZ3VhZ2U6IHpoLUNODQpSZWZlcmVyOiBodHRwOi8vd3d3LmlxaXlpLmNvbS9jb21tb24vZmxhc2hwbGF5ZXIvMjAxNDA5MjQvTWFpblBsYXllcl81XzJfM19jM18yXzFfNi5zd2YNCnF5aWQ6IGFhb2VmZHRxZ2ZkZXB4YzJ0bnYzcGl1Y2djYjRlb2ZuDQpxeXBpZDogXzIwMTINCnF5cGxhdGZvcm06IDAtMg0KeC1mbGFzaC12ZXJzaW9uOiAxMiwwLDAsNzANCkFjY2VwdDogKi8qDQpQcmFnbWE6IG5vLWNhY2hlDQpDYWNoZS1Db250cm9sOiBuby1jYWNoZQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNC4wOyBTTENDMjsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjUuMzA3Mjk7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgTWVkaWEgQ2VudGVyIFBDIDYuMCkvUVktUGxheWVyLVdpbmRvd3MvMi4wLjEwMg0KSG9zdDogbXNnLjcxLmFtDQoNCg=="}
 01543{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189363217,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":892,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":892,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353189363217,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50504,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming","hostname":"msg.71.am","http": {"url":"msg.71.am\/cp2.gif?a=4e3ae415a584748ac9aa31628f39d1e8&ai=&as=1:45:23|45&av=4.10.004&b=180932301&c=31&ct=5000000923447&d=2175&di=&dp=71000001&e=c4889e64ad9d9eeb9ff438910850c442&ec=&em=&fi=&g=0&l=MTE4LjE2My44Ljkw&mk=&nw=&od=5000000854934&oi=&p=a&pp=&rc=&rd=&ri=&s=1467353187053&sh=&sq=&sw=&t=3q&u=0_aaoefdtqgfdepxc2tnv3piucgcb4eofn&v=479531000&vv=5.2.15.2240&x=&y=qc_100001_100140","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\/QY-Player-Windows\/2.0.102","detected_os":"Windows 7"}}}
-01669{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1178,"source":"pps.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1467353189325739,"flow_src_last_pkt_time":1467353189360764,"flow_dst_last_pkt_time":1467353189374572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":292,"flow_dst_tot_l4_payload_len":37052,"midstream":1,"thread_ts_usec":1467353189374572,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.19","src_port":50505,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3105.9,"max":35765,"stddev":9210.9,"var":84839944.0,"ent":1.8,"data": [2901,35025,35765,2,54,1038,2,1,1,1,1,1,4098,1,1,1,1,557,2,1,1,4317,82,1,1,1,1,0,0,0,0,0]},"pktlen": {"min":198,"avg":1221.0,"max":1314,"stddev":293.9,"var":86398.0,"ent":4.9,"data": [198,566,202,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01659{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1178,"source":"pps.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1467353189325739,"flow_src_last_pkt_time":1467353189360764,"flow_dst_last_pkt_time":1467353189374572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":292,"flow_dst_tot_l4_payload_len":37052,"midstream":1,"thread_ts_usec":1467353189374572,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.19","src_port":50505,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3105.9,"max":35765,"stddev":9210.9,"var":84839944.0,"ent":1.8,"data": [2901,35025,35765,2,54,1038,2,1,1,1,1,1,4098,1,1,1,1,557,2,1,1,4317,82,1,1,1,1]},"pktlen": {"min":198,"avg":1221.0,"max":1314,"stddev":293.9,"var":86398.0,"ent":4.9,"data": [198,566,202,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189784236,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":431,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":431,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353189784236,"l3_proto":"ip4","src_ip":"192.168.5.38","dst_ip":"239.255.255.250","src_port":1900,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 01075{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":473,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":473,"pkt_l4_len":439,"thread_ts_usec":1467353189784236,"pkt":"AQBef\/\/6cBiLE+IdCABFAAHLI6UAAAER3rTAqAUm7\/\/\/+gdsB2wBt3SETk9USUZZICogSFRUUC8xLjENCkhvc3Q6MjM5LjI1NS4yNTUuMjUwOjE5MDANCk5UOnVwbnA6cm9vdGRldmljZQ0KTlRTOnNzZHA6YWxpdmUNCkxvY2F0aW9uOmh0dHA6Ly8xOTIuMTY4LjUuMzg6Mjg2OS91cG5waG9zdC91ZGhpc2FwaS5kbGw\/Y29udGVudD11dWlkOjJmNjg4ZWNlLWMwYjEtNDEwNC1iOWU1LWNiY2VlNTAzZTZiNA0KVVNOOnV1aWQ6MmY2ODhlY2UtYzBiMS00MTA0LWI5ZTUtY2JjZWU1MDNlNmI0Ojp1cG5wOnJvb3RkZXZpY2UNCkNhY2hlLUNvbnRyb2w6bWF4LWFnZT05MDANClNlcnZlcjpNaWNyb3NvZnQtV2luZG93cy82LjIgVVBuUC8xLjAgVVBuUC1EZXZpY2UtSG9zdC8xLjANCk9QVDoiaHR0cDovL3NjaGVtYXMudXBucC5vcmcvdXBucC8xLzAvIjsgbnM9MDENCjAxLU5MUzowMDI4NWJjM2MzYmEyMDcwMDdlMWMzYjc2MjFjODQ3Ng0KDQo="}
 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189784236,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":431,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":431,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353189784236,"l3_proto":"ip4","src_ip":"192.168.5.38","dst_ip":"239.255.255.250","src_port":1900,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}}
@@ -441,7 +441,7 @@
 01085{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1461,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196856069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353196856069,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"preimage1.qiyipic.com","http": {"url":"preimage1.qiyipic.com\/preimage\/20160506\/f0\/1f\/v_110359998_m_611_160_90_1.jpg?no=1","code":0,"content_type":"","user_agent":"Qiyi List Client PC 5.2.15.2240"}}}
 02213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1462,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":2,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196917508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353196917508,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUDjVAADgGss\/fGmoUwKhzCABQxlp7yE3nmzJ751AQAB9cGQAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFFXUw0KRGF0ZTogRnJpLCAwMSBKdWwgMjAxNiAwNjowNjozNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDY2MTIxMQ0KQ29ubmVjdGlvbjogY2xvc2UNCkV4cGlyZXM6IEZyaSwgMDUgTWF5IDIwMTcgMTc6MzU6NTUgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTMxNTM2MDAwDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KTGFzdC1Nb2RpZmllZDogVGh1LCAwNSBNYXkgMjAxNiAxNjoyMzo1NSBHTVQNClgtQ2FjaGU6IGZyb20gMTI3LjAuMC4xDQpBZ2U6IDQ4ODM0NDENClZpYTogaHR0cC8xLjEgUVRTIChRVFMgW2NIcyBmIF0pDQpYLUNhY2hlOiBmcm9tIDEwLjIyMS4zMi4yMTYNClgtQ2FjaGU6IE1JU1MgZnJvbSAyMjMuMjYuMTA2LjIwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU\/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU\/\/4AC3FpeWkxLjAuM\/\/AABEIA4QGQAMBIgACEQEDEQH\/xAAeAAACAwADAQEBAAAAAAAAAAAGBwQFCAIDCQABCv\/EAHAQAAEDAwMCAwUEBAoDCgcAIwECAwQFBhEAEiEHMRMiQQgUUWFxFSMygUKRobEJFiQzUmJywdHwJYLhFzRDc5KywsTS1CY1U2Oiw\/EYNkR0g4aTlKSz01RWZGZ1doSjtBknRUZVhZWWxdW14jdXZf\/EAB0BAAIDAQEBAQEAAAAAAAAAAAUGAwQHAgEIAAn\/xABKEQACAQMDAQUEBwYFAwQBAQkBAgMABBEFEiExBhMiQVEUYXGRIzKBobHB0QcVJELh8DM0UmJyFiXxJjU2Q4KSF0RTc6LCY7LS\/9oADAMBAAIRAxEAPwDytAyeNWtFoU6vyTFgRlSXcbsJ9B8fl+eqxHqdN32eupf+5vW5UmPVHaHUHUpMapNHCmlDdxnBxnP7NTSEouRRHT4I7mdYpW2g0MdQukl49JKsmm3fb0+gS3BuZ97aKUPpwDubWPK4MKHKVEc6GfB+71qP21vapV7RkmgxSmNKRQ8iNNSkh8JU22lxLigdq962\/E4T5c4BOs+RYyXt+9GvEJIzXtxb9zIY85++q2mvKhvb0f6yf6Q1fvM+8sb2vwajqp2x9KEaMLI6f1e5vG9xjq92\/SfdVsZCvmo9z8k5+mpopSG2jmvYSyHaelDtuyUwH0vLXs82ngvqqxcNDk0eP4PljJZU\/wCH5nMjBx9B66X\/AFL6K3H04lNe+x25cNxhuQ3JiKK0bVDI3DgpPxyPz0GUyqzaa9vjp93WrCfER6D4jRLayjnijVvclPAKOG4EOlTUKQvwv6qv0vppy2vUkLpxXv3o2+XSltd5ittlC0KkPf8ACSZPJ47AZ9NGTdbjURtq"}
 02220{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1463,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":3,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196917511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353196917511,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUDjZAADgGss7fGmoUwKhzCABQxlp7yFLTmzJ751AQAB+1AQAAFHWnfu3ebsPmflqKi8LbOppt0aSln8a0oQnzOKX6fXTzo\/s7tX30MrdPrafdJ9wOpqEVa0+eCttATGWR8cDKh8HCNIf2Y7kse++qsW3Z9ZRJmISqRHhlv7ua8gbtu88KwMqCRndtPwwr0FYe3t6IW8WfGaEajdpKO6T7a8f7q6eXHYM73S46PKpTyVFtK32z4SyP6Dn4VD6HUejUGdXqrT6VTI\/vdSmvtxYrHiJaC1rVtGVnhKfUlR4AJ16QVv3OsV+5oM2OzU4HhtpejSW0raWT2G05\/CnHPx0obh9myNSbjod09Pap\/FmsUupt1BtqSFvxFhIVlBSDuGc4POMZxg6\/XEcyITHyaXYrUM4B6Gst3D0dv22KjesSo2u6f4mtIdrsiFKafZjNrwULQrI8Tck7ylIyACVAaiTOjt7U2gUet1O2pFNpVZYVKp8lx5twPNBIWVHYo+Gdp3bV4OAT6a0xfk3q\/SqN1XjzmEVOHe7qXEyae+XGKY3w2pLbYTkbmQG1KIB8iTyd2lNevUKq1roxZ9hNOOsfYa1eNIShLQeSlstNIGw5O1CnASr8W7nOlh7u7jOGFMEOl2hfEkoApQO9P60p+VHRCeW9Ec2SG0srUtlWCdqwE+U4B4Vj8OhesUp+lSlx5aPCeR+JH6Q5wQfgc8YOmdXrjbcYne5Ux2lTJLiXHJbVVkuLOM\/i3K8xIJGVZ+Whhi7ZNK97Rs94XJTtcddcO4\/iJyfiSrOdXLa6mdvGK5v7Kygi320m41QWoypc57\/iT+8apK8zsqsv\/jDpm2pcKnrVl09bSdkbwvvd310AXb\/41P8AxaP3aMQybnNCnTFuDTCmX\/AehhjDIbSAPKnVJGrkeoyvd4EUynsZ2oT6D4nPH5n5aB6xc36KEI3fQaNvZ9v2pWncEydBmyKVU3Ep92qEfylsjdxnHGd37OdCJbRljMvU0q6Zo8N7cql0+1T5129VKLc\/Syqil3Xa9Qt6Y4kqZEyPtQ+njzNODyuDBTkpJxuGdLxuRMrLm2NCed3f0Ua2H7T3WGX7SU6g\/bURj3OhpKYcnGJKkqabS6HFA7Vblo8TAAx2ydKmO5DpLKWocZKNv6WdWraPwBzwa8vLeGwmMKDcR6HNLKkWS6k+LPgSD8vTRRGTIZ2tQ6a6P7RGNXc64okVKlPvo+m7QlVup7Dfkjqb\/I6u7iPOh+55T9XirgVKTSfPK4\/qJc1El3vLmJU2xD\/1lk6Cn788Zwq2hav62Tr4Xw5t8qUj\/V1x3j\/y8VaEMnklWFQg1yY2l9X3TKzhPwOO\/wCrOulNLqCW9q5pS38E5xrn\/HR+bQfdURl+9Ik+MiUCQkp27S3t7ZJwd2dc7URUalWIrlTZe+yVFXiOKSdnrjJHzx664DsR1oitrcEgAYqJ4K4v4Xx+rXwlFKfM\/wDs0YdYLVi2\/R6VPpjS\/DlZS67HytltSOVZVk4J3JIB+fOlYZC9vm8356mTGM1O9q8bbSc1bSFNq3bXV7tdLCXHlbfHA4yVHOAB+v8AdqvebmNspfcQUtr7HXFp7wVbtxV6HUrHCHb1qxDGAw39KNZfTyrU1Q94TGRmImaFLfH8yr8Kvz+HfUumWDVqp44YfiL8BxDToEgJCFKKgkHPx2q5Hw510nqOxJTJT\/Fqmp8SP7sOM+HyrCx\/X8xyeO6vUjFt"}
-01686{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1492,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196981279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353196981279,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4815.8,"max":61439,"stddev":13558.3,"var":183828400.0,"ent":1.8,"data": [61439,3,3,1,1,30336,2,1,1,25868,1,484,2,1,1,574,2,3519,3,772,1,1,1,1,1,2191,0,0,0,0,0,0]},"pktlen": {"min":303,"avg":1282.4,"max":1314,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01674{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1492,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196981279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353196981279,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4815.8,"max":61439,"stddev":13558.3,"var":183828400.0,"ent":1.8,"data": [61439,3,3,1,1,30336,2,1,1,25868,1,484,2,1,1,574,2,3519,3,772,1,1,1,1,1,2191]},"pktlen": {"min":303,"avg":1282.4,"max":1314,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353197131515,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353197131515,"l3_proto":"ip4","src_ip":"192.168.115.1","dst_ip":"239.255.255.250","src_port":50945,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_packet_id":1,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1467353197131515,"pkt":"AQBef\/\/6dNArkea6CABFAAChc\/sAAAERIa3AqHMB7\/\/\/+scBB2wAjWbYTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="}
 00901{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353197131515,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353197131515,"l3_proto":"ip4","src_ip":"192.168.115.1","dst_ip":"239.255.255.250","src_port":50945,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}}
@@ -457,7 +457,7 @@
 01085{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1998,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198532645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353198532645,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"preimage1.qiyipic.com","http": {"url":"preimage1.qiyipic.com\/preimage\/20160506\/f0\/1f\/v_110359998_m_611_160_90_2.jpg?no=2","code":0,"content_type":"","user_agent":"Qiyi List Client PC 5.2.15.2240"}}}
 02225{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1999,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":2,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198595498,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353198595498,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUAJVAADgGwG\/fGmoUwKhzCABQxlwKAEr9wq8jr1AQAB\/+YwAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFFXUw0KRGF0ZTogRnJpLCAwMSBKdWwgMjAxNiAwNjowNjozOCBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDY4MDQ1Mw0KQ29ubmVjdGlvbjogY2xvc2UNCkV4cGlyZXM6IEZyaSwgMDUgTWF5IDIwMTcgMTc6MzU6NTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTMxNTM2MDAwDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KTGFzdC1Nb2RpZmllZDogVGh1LCAwNSBNYXkgMjAxNiAxNjoyMzo1NSBHTVQNClgtQ2FjaGU6IGZyb20gMTI3LjAuMC4xDQpBZ2U6IDQ4ODM0NDINClZpYTogaHR0cC8xLjEgUVRTIChRVFMgW2NIcyBmIF0pDQpYLUNhY2hlOiBmcm9tIDEwLjIyMS4zMi4yMTYNClgtQ2FjaGU6IE1JU1MgZnJvbSAyMjMuMjYuMTA2LjIwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU\/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU\/\/4AC3FpeWkxLjAuM\/\/AABEIA4QGQAMBIgACEQEDEQH\/xAAeAAACAwADAQEBAAAAAAAAAAAGBwQFCAIDCQABCv\/EAG8QAAEDAwMCBAMEBAgGDQUCHwECAwQFBhEAEiEHMQgTIkEUUWEVMnGBI0KRoQkWJFJyscHRJTNigsPwFyY0Q3OSssLE0tTh8TVThqKz0xg2RGODhIWTo6S0J1RkdHWURnYZN0VVVmVmlZbF4tUp\/8QAHQEAAgMBAQEBAQAAAAAAAAAABQYDBAcCAQgACf\/EAEcRAAIBAwMBBgMGAwcEAQMCBwECAwAEEQUSITEGEyJBUWEUcYEjMpGhsdEVweEHJDNCUmLwFiVy8SY0Q1NzNYKyosJjg9L\/2gAMAwEAAhEDEQA\/APMptJVH130SjzK1ODEJhT7nfaPYfU\/36sLbZpa5kcVlcxmmZPnLp7aFPYwcbQogZzjufnpudML6tTppWVy7NuK4oNWd+7OqUFmN5GAcbVNvOHnPOQB9dazqvexW8bxLlgK902GK6uRDM20HzpX9Quk14dJ6+mm3hbs635Lw8xn4xrah5PHqbX91wcpyUk9+dVO39FrVXio8T1teJOo0iFdEycw1Qk4p82j0xuVIUFNoS8h5S32knctsODaDjdjSXTR+mhR\/8EV3\/wCdb0Q\/9O132ZlLRu0gOSfSoNQiW2mMQOflzSwqSfu64U5Pq0xp1E6YHG+6LuT\/AOjUX\/t+umJROmSVei6rsV+Nsxv+36hlUfxbf5VSDjZ0oKmp\/Qq120RP8lV+OjiVR+nKm1brouhH\/ozGP\/T9fU2j9O0x1eXdVzrTnv8AxYj8f\/R+j\/fKmqCTB+6fKoi+UxQFTU+pz8TqJKZP2n+f9+mRBo\/Tncry7suVfJ\/\/AAYYH\/T9R36H02+L3Ku250q+"}
 02234{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2000,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":3,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198595505,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353198595505,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUAJZAADgGwG7fGmoUwKhzCABQxlwKAE\/pwq8jr1AQAB8TPwAAQtiP\/X8fofczLJZRL\/v\/AJ10rgMaH2Gf0Z1VVRnTPjUywEtnbclzqH\/4txv+36rp9H6bKz5tz3WP6Nsxj\/0\/TXrE0cmn7QD09DVaNjvoBpjfp1znU2VIcOxhxTO3cpxDZUEjnvgfQ9\/kdMGm0bpqlI2XLdrn\/o5FH\/T9HQ6yUG2uklRsGHVriXDly3XBJfo0UFplaUZbSBKJGVpWo+rH6Q8ZJ0lao8w0NVtwc5GeOMfOiVqYmnxKcCg6odBbrtWm0V+ox2Gm6o0XGFCU2spISpRQ4kEqaWEDdtWEn8+Nc5fQi6E7EFMNCluIaAMtGQpRwnPJ4ORydHnUzrNSes\/2KupyKzGZp0NDO+PSY6nZDqRtLrizKHcfvJ1Uzn6DNoUaGmnXP5aWkJakx7dYSp1KVbgorEkhWT3Iz31Qgve0ENiqumF8sjyo+kejk5Lkmq1fhC6hU9DqlM0xzccFLc9ClcKAPGP8odtLOv2vPs6vzKPUUoTMiq2u+UrekH6Ht+zTeVVqHU0T0NWpcm6WzjezbzSVoHqTvQQ7nPqwT+3Vr0XtGkXqK5FtuDc9TktNIVML8unxEoQd4QEl1RGSQc89wNRaRfTWzCa7P2a+f1qneLaFMW2S1Z3nt418lHoT+Gtf0\/wxVG94D1sU62a09IhOtMeWu5qQlYdU0h0cc7glDyCvafzJ1lao0ldLnTYT6C29FecYcRuC9qkKKVDI4OCDyANaFpeo2mrXEq27ZIFBGR41BcYodQCY6tSKJSJlZnCPBjqfe+8Up9h+P9+rC3GqUufH+2lzG6Zk+caelCnsYONoUQO+O5+em50yvu0umdZVMs64rip1Wd5TOqMNmP5GAcbVNuuHnPO4AfXSjqxlggSSJcsBRTTYYrq5EMzbQfOlb1E6TXh0kryKbeFuz7flPArZ+MaKUPp49Ta\/uuD1J5ST351UJb9OtW+KrxO2z4lKjR4d0TZzTVCTtp02jU5qTIUFtoS8l5a32knctsLG1JxuxnSURR+mpSn\/AA\/d6f8A5QxD\/wBN1x2ZlLJIzqck+lQ6hCLeXuwQcenNLCop241wgJ3uaZU2i9MDjfct3J\/9HIh\/6frpi0bpilz0XPdh\/G2ov\/b9cygfxbd5VSD+DFA0xH6PUijJ\/krn46NplG6cKbO66LpH4WzGP\/T9cqZSOnaWHPKue6Fc\/wD7Mxh\/0\/R8TKmqB8H7p8jUJbKYoCpbf6RzPz\/t1Ekt\/wCESPqNMaDRunO9zy7nuhfz\/wBrMf8A7frpfofTb4w7rqugOZ7fxZjH9\/x+hlzMr2US\/wC\/+ddK\/iPFDjDPp1VVNs86aLFM6fBO1Nx3Qf8A0cjf9v1XzaN02P8Ajbmuwf0bai\/9v026vPFLp+1c9PQ1DGWDcil9SmztPOu6bTZMhYUhhxTIG5TiW1KCRz3wD\/qNHtOpHTNI\/RXDdzv\/AKOxU\/8ATjo5HWShW10lqVgw6ncTkOXLecTJk0mNlthaEZbAEknJWlajzj1n3J0l6o8x0RVtwc5GeOMfOiFr3bT4mOBQhUOgl1WpTaK\/UY0dpuqtFxgolNrUkhKlFDiAoqaVtGcLA\/brnK6FXQnCFIhoUtxLQCpSM7lHCQRk98jv20ddTes1M60fYqqm9WIrNOhts741LjqdkOgbS64syR3H7yc6qZ0mhzKDFi\/ZdylkMIQ1"}
-01685{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2029,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198686720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353198686720,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5706.5,"max":62853,"stddev":16390.1,"var":268635424.0,"ent":1.7,"data": [62853,7,1,1,1,1,28633,3,1,57886,1,1,29,1,1,276,1,311,1,3236,49,2,773,2,1,1,2,0,0,0,0,0]},"pktlen": {"min":303,"avg":1282.4,"max":1314,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01675{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2029,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198686720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353198686720,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5706.5,"max":62853,"stddev":16390.1,"var":268635424.0,"ent":1.7,"data": [62853,7,1,1,1,1,28633,3,1,57886,1,1,29,1,1,276,1,311,1,3236,49,2,773,2,1,1,2]},"pktlen": {"min":303,"avg":1282.4,"max":1314,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}}
 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2397,"source":"pps.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":0,"flow_first_seen":1467353152692906,"flow_src_last_pkt_time":1467353167734702,"flow_dst_last_pkt_time":1467353152692906,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":798,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353199312861,"l3_proto":"ip4","src_ip":"192.168.5.57","dst_ip":"239.255.255.250","src_port":59648,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2456,"source":"pps.pcap","alias":"nDPId-test","flow_id":98,"flow_packet_id":2,"flow_src_last_pkt_time":1467353196348641,"flow_dst_last_pkt_time":1467353199417673,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":275,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":275,"pkt_l4_len":241,"thread_ts_usec":1467353199417673,"pkt":"ABxCjnAxTF4M6gNlCABFAAEF4D5AADEGSkB7fW9GwKhzCABQxlcB794psg4Z21AYPLiOgAAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFRlbmdpbmUNCkRhdGU6IEZyaSwgMDEgSnVsIDIwMTYgMDY6MDY6MzggR01UDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47Y2hhcnNldD1VVEYtOA0KQ29udGVudC1MZW5ndGg6IDI5DQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXNzLUNvbnRyb2wtQWxsb3ctQ3JlZGVudGlhbHM6IHRydWUNCg0KeyJkYXRhIjp0cnVlLCJjb2RlIjoiQTAwMDAwIn0="}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2545,"source":"pps.pcap","alias":"nDPId-test","flow_id":106,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353200271229,"flow_src_last_pkt_time":1467353200271229,"flow_dst_last_pkt_time":1467353200271229,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353200271229,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50781,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -616,8 +616,8 @@
 ~~ total active/idle flows...: 107/107
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6323686 bytes
-~~ total memory freed........: 6323686 bytes
+~~ total memory allocated....: 6323258 bytes
+~~ total memory freed........: 6323258 bytes
 ~~ total allocations/frees...: 126038/126038
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/pptp.pcap.out b/test/results/pptp.pcap.out
index dbe996150..e298ae155 100644
--- a/test/results/pptp.pcap.out
+++ b/test/results/pptp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038389 bytes
-~~ total memory freed........: 6038389 bytes
+~~ total memory allocated....: 6038385 bytes
+~~ total memory freed........: 6038385 bytes
 ~~ total allocations/frees...: 121512/121512
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/psiphon3.pcap.out b/test/results/psiphon3.pcap.out
index 9634bc5b4..054b58d7a 100644
--- a/test/results/psiphon3.pcap.out
+++ b/test/results/psiphon3.pcap.out
@@ -7,7 +7,7 @@
 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079143404,"flow_dst_last_pkt_time":1613865079140404,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613865079143404,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01233{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01528{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":2422,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","alpn":"h2,http\/1.1","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}}
-01541{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":998,"avg":10543.0,"max":46102,"stddev":11726.4,"var":137508352.0,"ent":3.6,"data": [6003,17375,14372,998,15961,7000,4998,3002,27963,1997,2998,1002,7002,25852,1389,4047,20760,1037,46102,1001,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":40,"avg":277.5,"max":1500,"stddev":421.9,"var":177964.3,"ent":3.8,"data": [60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048]},"bins": {"c_to_s": [10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0]}}
+01517{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":998,"avg":10543.0,"max":46102,"stddev":11726.4,"var":137508352.0,"ent":3.6,"data": [6003,17375,14372,998,15961,7000,4998,3002,27963,1997,2998,1002,7002,25852,1389,4047,20760,1037,46102,1001]},"pktlen": {"min":40,"avg":277.5,"max":1500,"stddev":421.9,"var":177964.3,"ent":3.8,"data": [60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048]},"bins": {"c_to_s": [10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0]}}
 01532{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","alpn":"h2,http\/1.1","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}}
 01048{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":62,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":30,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079845431,"flow_dst_last_pkt_time":1613865079841273,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3700,"flow_dst_tot_l4_payload_len":5574,"midstream":0,"thread_ts_usec":1613865079845431,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":62,"source":"psiphon3.pcap","alias":"nDPId-test","packets-captured":62,"packets-processed":62,"total-skipped-flows":0,"total-l4-payload-len":9274,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1613865079845431}
@@ -19,10 +19,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6044160 bytes
-~~ total memory freed........: 6044160 bytes
+~~ total memory allocated....: 6044156 bytes
+~~ total memory freed........: 6044156 bytes
 ~~ total allocations/frees...: 121559/121559
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 1546 chars
-~~ json string avg len.......: 1011 chars
+~~ json string max len.......: 1537 chars
+~~ json string avg len.......: 1007 chars
diff --git a/test/results/punycode-idn.pcap.out b/test/results/punycode-idn.pcap.out
index ecce93ad6..327842ad6 100644
--- a/test/results/punycode-idn.pcap.out
+++ b/test/results/punycode-idn.pcap.out
@@ -27,8 +27,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039487 bytes
-~~ total memory freed........: 6039487 bytes
+~~ total memory allocated....: 6039475 bytes
+~~ total memory freed........: 6039475 bytes
 ~~ total allocations/frees...: 121530/121530
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/quic-23.pcap.out b/test/results/quic-23.pcap.out
index cef1b3713..765f3ad70 100644
--- a/test/results/quic-23.pcap.out
+++ b/test/results/quic-23.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046407 bytes
-~~ total memory freed........: 6046407 bytes
+~~ total memory allocated....: 6046403 bytes
+~~ total memory freed........: 6046403 bytes
 ~~ total allocations/frees...: 121528/121528
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic-24.pcap.out b/test/results/quic-24.pcap.out
index c7b7487c1..df8f58c8b 100644
--- a/test/results/quic-24.pcap.out
+++ b/test/results/quic-24.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046188 bytes
-~~ total memory freed........: 6046188 bytes
+~~ total memory allocated....: 6046184 bytes
+~~ total memory freed........: 6046184 bytes
 ~~ total allocations/frees...: 121523/121523
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic-27.pcap.out b/test/results/quic-27.pcap.out
index 459d0dcac..b5f0937a8 100644
--- a/test/results/quic-27.pcap.out
+++ b/test/results/quic-27.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046569 bytes
-~~ total memory freed........: 6046569 bytes
+~~ total memory allocated....: 6046565 bytes
+~~ total memory freed........: 6046565 bytes
 ~~ total allocations/frees...: 121529/121529
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic-28.pcap.out b/test/results/quic-28.pcap.out
index 12566db67..17b7761f5 100644
--- a/test/results/quic-28.pcap.out
+++ b/test/results/quic-28.pcap.out
@@ -5,7 +5,7 @@
 01103{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474847575,"flow_dst_last_pkt_time":1591267474847575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1200,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1591267474847575,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.wireshark.org","quic": {"tls": {"version":"TLSv1.3","ja3":"1e022f87823477abd6a79c31d70062d7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-28,h3-27","tls_supported_versions":"TLSv1.3"}}}}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1591267474847575,"flow_dst_last_pkt_time":1591267474861209,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1591267474861209,"pkt":"bmImQfCg7jdRvai\/CABFAABL8YhAADkR0gRoGgvwCgkAAgG76soANzParQAAAAAUQMS6Zy9FF9Xn7IIP1UsQeHX9qMwQgoOBp4aIL+MPCXOdR4KiF\/8AABs="}
 02122{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1591267474861366,"flow_dst_last_pkt_time":1591267474861209,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1242,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1242,"pkt_l4_len":1208,"thread_ts_usec":1591267474861366,"pkt":"7jdRvai\/bmImQfCgCABFAATMbsJAAEARSUoKCQACaBoL8OrKAbsEuILewv8AABsQgoOBp4aIL+MPCXOdR4KiFxRAxLpnL0UX1efsgg\/VSxB4df2ozABEgps603pxkyOuWqOuDCBHqFD5j6Z3HbedH1LdiS7r9g7eF1q+4GbQDzwEnV9STArM0Em4niSxcOP14YGEMbCxBeurtCEC8Tmf6DBDqyOKEQqlh98RR0FuyctJCM99u6oRT6urYJjdL6PSSu3YTL8HY6NviKj+LkpdTz6KmCgYvbgKd7NEhPEXmVYO+dL7mTC6YtcnEsrAHQU704mlKvqtFGL2\/5msnq\/TWBIk6bybV0DxYkGzE2Dnlwtw+dvrt9SpZJQBYmvuqQWRkw7Xl0Ri5Ou\/YH0Nf3CEwfW93dKkzcyI\/xYg9i+2QKy1ICjIZ\/JAWTdEHFRK8O6Gl0vStYOHFWBxnM\/YifVgYZg0OsrKE2RfzjKKmCKUpNz\/eEInpy3g7Oy6BASDjgCLyqH4KHC0RkRyxMeAwO\/4Ueuev5PR+GIZT6RPX+8eDG+GEJz8bGHJ80oLKupj5MfUtk1+qegg2dzVfHgOvprBxIArXCNmBUVNivV7wlObqf87COabZiPrwNrq3bed\/ALhpVnLbXDu3mPYFozof6hWLQUSRUCvRIP+L3zyyxfAOLZZ711TySAZxpgSSNbMb5wMga2ZxBCZGIiJBujBs0RFh65ea1D90334s1gOATeyFD6G0Y5nni0vv93RqV0rCUx5NmKsmees6Lb5Tn92zzlLElQ0tJj8i0NV+A1o9UmRJisTfKPDHGhnjIKCy7tWmA\/6WnyjC5MVpEofvbOp6VSLzrYFEbs4xO0nP5EWcI9akrhkBkR4BVPvA3BR\/JNC6qdA6XjZq7vEC4PK42e5TCzz\/lS4AoqV6qY+iOUqeRm\/KZeFGwLXw2YBxOFGvLQSYLCrM0JT+ZZ\/+YM0cgNTb4UsfslWeAa\/dEDn2K0d5vlVIufoqB2DscZriUDfkBrMe3p2BYO28jOG0dIt\/\/+wVszbGGjaG2DAkiTDrcM67+fz7k2j14PiNbU6+l0I0CfyoRbB67XXdFnPllMtNEGiR4aBRcQCCchbCVwdD7xGfKg8VLCKykEzUES\/y7hiagE2xpKTSbAUtzMYTnIbSLikbFGyfUOpyFdt16r3gk3qkldqup8CI9vmdvD1rvxsFHFdQKlm4ct28WVqNsM7AcMCYS4IdY3fjlHdgQeFzGauOLiE2HquU8FAgRipNJCs2vXSgmlj6qxAuSretb3YYCFUtS5vV7VhzZ\/si5aRaf72K7CkGDHBs9yzIrPzdtDp1CIjAcpqkTgTiqw5a7bneWQdm6knt9coPgKABTdfR1Wfei0Q3edydbubwRd1QyG5zjI0T9bXVZf85BmVvZ\/oiH86E0oC1c6Hyl3M4ke1W9+ncVNagK7XEVU\/lQ9u6NvkLWq7c7LzCfIQKMjglkD6IZxuZzbgX+IVXu+2\/W0iJnR1BIZqRhI1sURkCMk5kSbefJtA\/3ss1rR1eV5WU9Nj63Lk8fki45wlDZBMYeXWKNBze+M4K2DVnLaUMILrXDsu6YTHRFaaXufk6rRMF0IUC\/p6LhqvtpFhBb7T6xRXz1tVkXrpMYBZz4xjGSbfGjFB"}
-01689{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474935131,"flow_dst_last_pkt_time":1591267474949617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1197,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":5362,"midstream":0,"thread_ts_usec":1591267474949617,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6116.1,"max":20960,"stddev":7174.9,"var":51478880.0,"ent":3.9,"data": [13634,13791,13932,1053,15111,1394,4,2,2195,342,15,8,10,14715,11,4,4,3,4,4,3,13849,1181,10523,11750,5487,19948,6547,20960,4038,19076,0]},"pktlen": {"min":85,"avg":343.8,"max":1242,"stddev":425.6,"var":181138.2,"ent":4.1,"data": [1242,89,1242,113,203,1242,1238,1239,259,152,103,85,85,168,112,557,85,85,110,85,85,85,85,85,700,85,147,85,859,85,122,86]},"bins": {"c_to_s": [0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01687{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474935131,"flow_dst_last_pkt_time":1591267474949617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1197,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":5362,"midstream":0,"thread_ts_usec":1591267474949617,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6116.1,"max":20960,"stddev":7174.9,"var":51478880.0,"ent":3.9,"data": [13634,13791,13932,1053,15111,1394,4,2,2195,342,15,8,10,14715,11,4,4,3,4,4,3,13849,1181,10523,11750,5487,19948,6547,20960,4038,19076]},"pktlen": {"min":85,"avg":343.8,"max":1242,"stddev":425.6,"var":181138.2,"ent":4.1,"data": [1242,89,1242,113,203,1242,1238,1239,259,152,103,85,85,168,112,557,85,85,110,85,85,85,85,85,700,85,147,85,859,85,122,86]},"bins": {"c_to_s": [0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":253,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":219,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267477602863,"flow_dst_last_pkt_time":1591267477602221,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1200,"flow_src_tot_l4_payload_len":5428,"flow_dst_tot_l4_payload_len":230739,"midstream":0,"thread_ts_usec":1591267477602863,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00564{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":253,"source":"quic-28.pcap","alias":"nDPId-test","packets-captured":253,"packets-processed":253,"total-skipped-flows":0,"total-l4-payload-len":236167,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1591267477602863}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6052991 bytes
-~~ total memory freed........: 6052991 bytes
+~~ total memory allocated....: 6052987 bytes
+~~ total memory freed........: 6052987 bytes
 ~~ total allocations/frees...: 121761/121761
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic-29.pcap.out b/test/results/quic-29.pcap.out
index cda5b4055..973aaac5a 100644
--- a/test/results/quic-29.pcap.out
+++ b/test/results/quic-29.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046188 bytes
-~~ total memory freed........: 6046188 bytes
+~~ total memory allocated....: 6046184 bytes
+~~ total memory freed........: 6046184 bytes
 ~~ total allocations/frees...: 121523/121523
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic-33.pcapng.out b/test/results/quic-33.pcapng.out
index d45b2cb25..a43cf8ba5 100644
--- a/test/results/quic-33.pcapng.out
+++ b/test/results/quic-33.pcapng.out
@@ -5,7 +5,7 @@
 01387{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456563491,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1607938456563491,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","quic": {"tls": {"version":"TLSv1.3","ja3":"0299b052ace53a14c3a04aceb5efd247","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}}}}
 02197{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456566304,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"thread_ts_usec":1607938456566304,"pkt":"AAAAAAAAAAAAAAAAht1gLBAvBNgRQAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABEVvI5gTYBOuKAAAAAQijB72XkxHdoQg7VxcI2Jvc+wBAmyNACkF8YFqpKbrULKoDb19+uZg6qvjJtwEJ\/uOaQSa3OSU6O4kzdS3stlDlI1x0pxU6U1p+48IkszqoivEYtB69bd+ITaYbTkxaelp3jMONrgP7+RVKaRNSt1HkpjhOcLPrzWczoHNZnIhNfvDy2JT2t08AucggcJe2\/4B\/vdnrtpqK6V\/yqwGFTMu1rQIkxS92C6tKauoy9+VqrwAAAAEIowe9l5MR3aEIO1cXCNib3PtEAuCsTgG\/NlsvOl6GJP2fa9o99BT145OKWZuTcmr433tc4jI7eA6S9XkiunJFKo6ZwPI0CMllqhzpZg\/M2oExoGin\/1BGN9cmCUQfuYgNqfFCtG+9ndT9HYjrsBCdjtJLmxL7rPr9q0tjGpDyuXZi9R4mNROPUrln\/PkhZzgiM0sHtdd5p\/bNeUYtEqE7ldAVt6\/n44lU+YN3SU+JWXbqssVrfvVzr36h3ab7fYZ2wDsFWfe3UAXx72w0FuOOYB7+7UQe00b5Z0z5SyfSm4P9dPYqojw9+jCHeJHd8IAkR4khzwJfJ3q7ZLCXjemRtbjS+jOnIFHSC581L8cRfFE0puRn3ZcyA6eigK1\/b\/IulmnDweMhm5uzPfRzVpuYtDAmfupBBO\/lq0x9UE6G6aXlrZk5pUsV\/Pqkms2\/6G+WtFFZQVjHMyjk00Lt801D4RBFQF6Pahphh1rFyerbrHyGpVjzLCCjQyphY+Ef9GwnSwZSXfDtl5l6V75F8hdBb7eRQwoSsYy2TAPUn+5EgUUMa1L0FdqwqulhpTwuiKxlEjCwVmTxOQ9cg0ckmklTggiUpDihR6CGEJh4wbwQvtSQI7moaNImb3zhI+1KDCqOesSmC0luDPiQ6HVXRRmZBTcfdXaVe6yn8aOTSuCvFQcYVZJMmDXWA3tjd8oaA17lJRBbd52Hesk8cJ\/YJxx85q2dKnHlb3PDDd1GsYUOHckqW9oBPW3OnKOCPAmLbdAwZewxw5NCtlvRr65YuEBJebGFHlf1HDlzUGnZEYOFz7QCUVI0Cm1TQGPnrse0LdnJMU4XAsVFTZ0rmN1WZ7lpL6siOc2kDO70InGs0erREqxP56ACsZJMVSLIWh+Wtd1TXT7s1cqcJTYFE1niy2vrWekG6gLj5S6d+RexzQMJFxrY7r+11SACpmCHMFInRkZ2X9ItKQsY5EbZalkFRVlIPVyM4egzMKz9sn52T\/vMFKgNzwFrf2sp17iUQaz1IyM4BWPhByUmfVEtsPpNhTudVAjT+DAK93H3WyrArXi\/C2kIO6kQjQL8MrdQf21Vn+lMg29055+PrObIIyJyGedJEXiBJHhcPUZyzw5wKIN3qGujdkkwR3NWZGQsR9D9oFcHebuLVvyY9rfcmZsewBxwBuE+3j7ZET5hnurVax3LpMwvKOC7lHimTxsExq+Apn9MfGeNafcclrRpd8qOhu5Y\/D9oPxLb43JPWxWrwE9\/H\/\/i9MLl+t0zWNInh13oyE1g07E++NmYobon6Smh\/KGoGULC6seHfmLDTFHYkzCH+jMiW6zoYiu7MVxzW\/pT13bjivVb6\/E5Iu6Gt0D2z7Y6bkUG7P9GxtXA2I4cOhOe8m7St\/U9gg=="}
 01532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456566431,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":805,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":805,"pkt_l4_len":751,"thread_ts_usec":1607938456566431,"pkt":"AAAAAAAAAAAAAAAAht1gLBAvAu8RQAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABEVvI5gLvAwKiAAAAAQijB72XkxHdoQg7VxcI2Jvc+0EX7RIgJstg2q\/pC81tAEQflatapq\/RZQEybKUVkOQrHxIiM3xbz3ZbafCyVgp9YFd+JrcvMCpFHqt9ha4UaWT\/CVOhVDMl+x8Qz2Pi7UbhXXzBIpETH8Z7GAVhwJp3720klhijkJwcoDMcJhlagIc47WtHZyC2\/NvYhyD6pe18qYPoUjuwqv+wJE\/ZuFV52ejpLWx76nNhIhGaoM22WiUW2N20UYQh0kubnK8ydedmguDEIxF73mmjfBjQU7d+\/kjc6w69nvaNM1WUtVe+1pIxu53jikC+jWmnb37byYPq9yuXiC3\/7jLmxfDtd9m0NACttAKJA\/JNnc1mj5nC7Y4hcumqIR3HrbC6nuLoYsXX2Zp0f9UgYV0fEqMHvZeTEd2hiKBY6bJdCuJKiCqdgeiTl8HqX5mvvlLWJPlmCEJCqIrxf4AkkUVGE4BSMBWdBgCOEniMLjdilc+qHYhwYNZ7tIGoZF6d6e+Y9Yje+rmHUnbpVz7jAirlBT5H70Gx8i7gxMgFdddmzogwCmelHc7wvmzlC3bbPNEkyFgFvBjt104z4kXXH0FdVNTjvLWqMrMbCISgSyaKcGImnAuSczuqI+IdDAVMV3KZetnbRYTODT0MnkiyhjZS2c2FGhXiSczCoL+nOf5G7u0IMQ1S2B5gWkWA4zkPvuFc+aQWgo\/5D9qUsPB6Q6\/Lj7MI5fOlLauhfzQmW9GNJRpuqdg3\/ZmECJ9z4HnHnfJd1luO6tXDuMawQhxYeD2xpO\/QqBEAH7sAsFTq\/abn1uTe8vqVNYsZRf0hwJAKRW\/BJxg25OGxhUlcywIb3vGZoq+dJmTxYWX\/eqXVDs+dco62ygOlroB9wJoypHt\/D+y7eYcgKaWYE3hnP28kNmmEQuWhfqoLHNJTZas1p5oY5kezaxnU27xSuQXqGdvZdYxhIaICM8EHXUKIOqW8fx5oue03v9+86w=="}
-01911{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456569390,"flow_dst_last_pkt_time":1607938456569730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3531,"flow_dst_tot_l4_payload_len":26643,"midstream":0,"thread_ts_usec":1607938456569730,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":391.5,"max":3446,"stddev":792.0,"var":627294.4,"ent":3.2,"data": [2813,127,21,3446,599,267,22,367,71,407,38,1140,1379,530,25,290,50,285,35,19,16,16,16,16,15,17,16,46,17,16,16,0]},"pktlen": {"min":115,"avg":1004.9,"max":1502,"stddev":605.0,"var":366070.2,"ent":4.7,"data": [1294,1294,805,1502,115,117,209,117,1294,1294,373,1502,501,245,117,117,117,117,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502]},"bins": {"c_to_s": [0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0]},"directions": [0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01909{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456569390,"flow_dst_last_pkt_time":1607938456569730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3531,"flow_dst_tot_l4_payload_len":26643,"midstream":0,"thread_ts_usec":1607938456569730,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":391.5,"max":3446,"stddev":792.0,"var":627294.4,"ent":3.2,"data": [2813,127,21,3446,599,267,22,367,71,407,38,1140,1379,530,25,290,50,285,35,19,16,16,16,16,15,17,16,46,17,16,16]},"pktlen": {"min":115,"avg":1004.9,"max":1502,"stddev":605.0,"var":366070.2,"ent":4.7,"data": [1294,1294,805,1502,115,117,209,117,1294,1294,373,1502,501,245,117,117,117,117,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502]},"bins": {"c_to_s": [0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0]},"directions": [0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01141{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":992,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":99,"flow_dst_packets_processed":893,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456578110,"flow_dst_last_pkt_time":1607938456578127,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":8598,"flow_dst_tot_l4_payload_len":1270620,"midstream":0,"thread_ts_usec":1607938456578127,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":992,"source":"quic-33.pcapng","alias":"nDPId-test","packets-captured":992,"packets-processed":992,"total-skipped-flows":0,"total-l4-payload-len":1279218,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1607938456578127}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6074587 bytes
-~~ total memory freed........: 6074587 bytes
+~~ total memory allocated....: 6074583 bytes
+~~ total memory freed........: 6074583 bytes
 ~~ total allocations/frees...: 122500/122500
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/quic-34.pcap.out b/test/results/quic-34.pcap.out
index d9766a2c4..70ec7f048 100644
--- a/test/results/quic-34.pcap.out
+++ b/test/results/quic-34.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046037 bytes
-~~ total memory freed........: 6046037 bytes
+~~ total memory allocated....: 6046033 bytes
+~~ total memory freed........: 6046033 bytes
 ~~ total allocations/frees...: 121512/121512
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic-fuzz-overflow.pcapng.out b/test/results/quic-fuzz-overflow.pcapng.out
index 73bd9eb11..2fa02b7c4 100644
--- a/test/results/quic-fuzz-overflow.pcapng.out
+++ b/test/results/quic-fuzz-overflow.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035646 bytes
-~~ total memory freed........: 6035646 bytes
+~~ total memory allocated....: 6035642 bytes
+~~ total memory freed........: 6035642 bytes
 ~~ total allocations/frees...: 121487/121487
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 505 chars
diff --git a/test/results/quic-mvfst-22.pcap.out b/test/results/quic-mvfst-22.pcap.out
index 8a1593033..7feb09f08 100644
--- a/test/results/quic-mvfst-22.pcap.out
+++ b/test/results/quic-mvfst-22.pcap.out
@@ -4,7 +4,7 @@
 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":24710880,"flow_src_last_pkt_time":24710880,"flow_dst_last_pkt_time":24710880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":24710880,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"graph.facebook.com","quic": {"tls": {"version":"TLSv1.3","ja3":"a3795d067fbf6f44c8657f9e9cbae493","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-fb-05,h1q-fb","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft)"}}}}
 02180{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":24710880,"flow_dst_last_pkt_time":24717506,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":24717506,"pkt":"CAAnANMtUlQAEjUCCABFAAUAAAYAAEAR9MMfDVYICgACDwG7ixEE7JMhzPrOsAEACEhjA85S+SrVAETSp3xd4I3jcnRue9L34hUuKLzlfpPUk0DMF1\/VFxThZTibHyGTQPaeM6iOotElwwAC1lRX5vIn9ya6YsAZzR1T20xEKAiW3eJkBYrfQ3apmceqTTBCX0bJxPnVeRIzBODDHWoJM4cXlDC\/p3lohjBDIh+3Pmk8tNap58UqGgjHnaigatc5CgFJHJWL+Kd1f9qcpuyZT1uB\/ns\/WT+PLudF\/jQ9707j1mFbnqiURY6nhTe97ZArhq7t1JVJAsO33k150ABBjgVdT\/6wgI8ik0OKmmJMbfb2L+7Ixq0YAACyySDSzQt+wcslS6ksj5zkeJG1dT9Y35jxFQSLUO32yxmbwQFG+b4QvZMRJyJvqfQ7oSMncZe7gs3wgTuaXe5geZfkx17MmRYXTYrf9pvAukh+MM4Q8hjt2gZyy+8MqEokO31Taq32iXjDeFgjn7q\/sQ6rvlxCVyZt8Ccaw1VxzzUAQNXg6QrtjGJsnqKEgZqyevLn4vgbCyEPYSqzUTMTMLMrTP+YLSeAUyD\/0KlFtPE0vwwFCXwILzsVlF8Hrkegr6zVR+h\/fNZFiUKr8jA4htexop3\/TtMjF2PSObMi\/B\/O4yOQK7dMjsb7j6HNoUatgqnfa\/Ep22MPaFjhmHCE5j8WrQYwGpwTuF1k+FX+IBnWV4aUFnYpvfr221AiaeRWseWythbDWPKdPOoQEd\/nzlYGC5Oxk\/91qMZSP6Qi8tEzsAHdyiB9WngqFXo1pqCT6\/T6hHvEqNor+wZ910MK6fQ\/Z\/7idL3\/nnBnU9m8lqNNZM0XegQQnU8+PD\/XZhQjxUwoqqNWAXTx+KKl5uQmMcpN8TieU3aBwrb2x1xcZVNXnjwFxiEsI7kDQg0bAdgGrjrWKUk4cVimEMb0EC3L3V2ZK9Ef+8sswkJ6ekYpwvMTIYU4ZOYeN6c9agkkoqzbCCHeRQql9R0YriJFUFgYENUK5b9nwRNBW+A+lZE8ptuzw5xsFcuyBXpjCKYIgsmKcLlQPkBkV4L5QGZQzzBmN2GgfUAEzN8WWVN0hJqYa9YhcX7zxmRv9gsMitNksaFnr6AlihFLFZqlT9Y648AprztjF7njBZZ3u+CXpZkG7Px2yrrdTouwjAToPn\/AdVmPPTHV6xKp99fDbwaMyfL+yOcnJ2plbK+wkS1jsiP\/yDk9VzA04xL0657ViUEAuv3t4Pev7pI\/DIFdRVSmTSWKvywkuBVJ\/VJOp\/6cO+Cy5FlDhTQR7H8evMXUaEHp69QHfF8fPUAjUyJ7IMeXXtuK3UkzI7UvsOqWVYGkA2OumbWmFRfgS9XBGi3DmR5otgit5Y81MAvHsCQ0V0IB2P\/yq9sRuL6R8TwF63sAvaPwfsPjICjHyZ2krnIlWXUbArKvncQeHm1H6y9ztqgfn+NTwpQWRfi71aj5FP2C+U3RB9l5HqGgyZJ9tt\/Xiom3MonkmdTNfE9C0G+zTKbgAzuir0+laGJim+TV37+wtcreN2P4GKPPo2goOCnc140xbDBLn4BL2axie9RcUyuxXK9wAWvijAfXal3f1DydwVZ8LxwK8o06yHcTKFQ\/sXJaHnxv2HTtF\/v0IBQjQRHILVxnhCjAh73MlFUFSG3zJQ2aU164W5cGJFQS3\/OOJsBbuI1J+KjSFQ=="}
 02177{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":24710880,"flow_dst_last_pkt_time":24717680,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":24717680,"pkt":"CAAnANMtUlQAEjUCCABFAAUAAAgAAEAR9MEfDVYICgACDwG7ixEE7GUmy\/rOsAEACEhjA85S+SrVAETSuH7quCgS8Qh0D\/bDO3gFDyLADGIuWnyCygbJxoXjp96KXvspho+865YDAISOGlOK6zOTsHDQAebkiFhwjAE3CGShccg0NcaDyS5u33R8Osm0onTcQUcavm+SMZHNxND0mAg59a7z7rYhXIsBKLYSznCIFNmBhvnQ+54HWzq4kDWVLL0ptfvb3giThFXk1AIMtBbaQwMGxHg\/8x0s7Ppw1zOCvbNuFb2SaGK8woqt2broJB\/xJJE2S1FwZCmQqqrE1mHTwDi+8M\/OC1IyVNxKVB8saqcFSbFe3BJEULgEgbvBwmfmNN7Wau\/J6gJxg5w745\/ujGtOLBoEAnkzp3XoTJN0Y42xyNe7RF+e2AS8staHpKBMbgG4b2fukqv0W5QWMOb9XdlK5lappO8kEpmoLvACo9Sy1bI0dfdz52edGlrvLjFy2h3zOMrwDHWDRiYmPSAbJ9pyo+VCqFMWVDhQI4ZmsKudQZcU+vReqpUp36fwM5gOtsh2Hk\/S0k+EHqDAZZLNzSF4Yr5ZabIDN\/R6biJU+FbtoUG+RJBpWcvmHAUftMbmErNWLgTpRpllj3nUl2F8eMASJGjRK8oYFrTV1fl7xjdeBam93XysGVWS92VND4SDvDULI6TRr\/337rNSj3EREqThlcSaMocH0kz+\/upNhJQxDeelV1RY26qv9bW8VdFma6p7uhfRK2roH3G5uc\/+tiG6qdmRct7WQoGsbTeaFFwB7Ji7Wtb9Amekof3OVUrPd+6iV+W3mM4hQL9kRTkFzHEd\/WA\/+8ZmZ+0XzQrpy3WwRvRc4DmvV7nvOYs8y+909LdGLV6CpRLEK1604OVZbyXxVxq8+mD19ElUn1g8QnbzGBFa3Eif7B0cGdFF8WqgYvqe7ufF46ZJs8QD63+SQv8gGxmUo3SJWQ3Yfj1uYEYSEfqi43AQxOFbKmd5oqszRdikvUk0Zh8XMjntw3CR4tWh1lqTR3LIN8Lt7A9gIRX8+3G76YoaDY2JIMjxOuLYIRBVe\/VWBuKPMLqRCv4wvIDach8GKJmbI9PTQ01q1Z5kL\/zM7jTdFAlentpckr6+ua\/D6t6rLd0nkkL8d+15pg8\/FKhrDBHA4Ml4BRHizjz4SpRJ2QEiV\/niWkbX1e0hkpcbZ2xmOFDZW\/9O8RjAOdM08kiCSbKZTUpnl9P0qLKtjystpZa5q8OrBMgSHUgHM1S7geU06smT7+czbBGnnd5A+6PV0mPwqueT\/OUV15fL2NUOxgfqhC8iKqRfJcjzm8CssrkrLVEfaPmw7D7KOm7\/2J64iyqOubriFO6KrbjP+1qKiLmCaqNeEy3JTylMKWsH5UVovtnGGCKeolJjanKSFdzQ0naGenN7GlArcfV78Zclt+QC9mK2mtHkEiOwhoeprg\/zQujUyWH4lxZTrhtEFhlJUvQKpPst4HYEqZgxQPGS5nmr51v1f2cwzcaORxf3cXeVVh\/GKwiwMjI8VaKzhRxAoKZZ3g1TUl61dqF4liU6GnZkX+YBlPJ80vXLVfIDc4zwsjaBUxk1pJO\/LOLCp5buKJ87EbzIoejsqFXfFarTVLwKw\/2KUHEIwDL1x1rU0t6Q+Ap29yyER+brp4OyVHhD6T7u9LrfjXexdQfUgnSNX1Ib4LZ7OO\/KrQ=="}
-01699{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":24710880,"flow_src_last_pkt_time":27201767,"flow_dst_last_pkt_time":27283563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":6836,"flow_dst_tot_l4_payload_len":11997,"midstream":0,"thread_ts_usec":27283563,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":168785.7,"max":2090987,"stddev":514567.3,"var":264779546624.0,"ent":2.1,"data": [6626,174,24,23,15783,192,68,25740,16544,24398,2090987,2072824,30640,212689,1822,115,243417,45,25374,21896,80671,49,21,8,9,96673,35817,60860,70,11,0,0]},"pktlen": {"min":66,"avg":630.5,"max":1294,"stddev":577.0,"var":332915.8,"ent":4.3,"data": [1274,1294,1294,235,95,1274,120,109,80,275,73,66,1142,70,74,612,1274,1235,70,70,74,66,1294,1294,1294,1294,98,79,66,1294,1294,1294]},"bins": {"c_to_s": [1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":24710880,"flow_src_last_pkt_time":27201767,"flow_dst_last_pkt_time":27283563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":6836,"flow_dst_tot_l4_payload_len":11997,"midstream":0,"thread_ts_usec":27283563,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":168785.7,"max":2090987,"stddev":514567.3,"var":264779546624.0,"ent":2.1,"data": [6626,174,24,23,15783,192,68,25740,16544,24398,2090987,2072824,30640,212689,1822,115,243417,45,25374,21896,80671,49,21,8,9,96673,35817,60860,70,11]},"pktlen": {"min":66,"avg":630.5,"max":1294,"stddev":577.0,"var":332915.8,"ent":4.3,"data": [1274,1294,1294,235,95,1274,120,109,80,275,73,66,1142,70,74,612,1274,1235,70,70,74,66,1294,1294,1294,1294,98,79,66,1294,1294,1294]},"bins": {"c_to_s": [1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00900{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":490,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":188,"flow_dst_packets_processed":301,"flow_first_seen":24710880,"flow_src_last_pkt_time":74905965,"flow_dst_last_pkt_time":74922862,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":72648,"flow_dst_tot_l4_payload_len":195043,"midstream":0,"thread_ts_usec":74922862,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":490,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":188,"flow_dst_packets_processed":302,"flow_first_seen":24710880,"flow_src_last_pkt_time":74905965,"flow_dst_last_pkt_time":139922848,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":72648,"flow_dst_tot_l4_payload_len":195075,"midstream":0,"thread_ts_usec":139922848,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":490,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","packets-captured":490,"packets-processed":490,"total-skipped-flows":0,"total-l4-payload-len":267723,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":1,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":139922848}
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6059976 bytes
-~~ total memory freed........: 6059976 bytes
+~~ total memory allocated....: 6059972 bytes
+~~ total memory freed........: 6059972 bytes
 ~~ total allocations/frees...: 121998/121998
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/quic-mvfst-22_decryption_error.pcap.out b/test/results/quic-mvfst-22_decryption_error.pcap.out
index 25bbf6b32..2eeece2e1 100644
--- a/test/results/quic-mvfst-22_decryption_error.pcap.out
+++ b/test/results/quic-mvfst-22_decryption_error.pcap.out
@@ -5,7 +5,7 @@
 00897{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296832000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1593498296832000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","quic": {}}}
 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":106,"pkt_l4_len":86,"thread_ts_usec":1593498296833000,"pkt":"RQAAapbBAABAEXBACuYoqF5h4ZLy9AG7AFbkKub6zrABCEACR1YBz3h7AD4ztLOg+8\/NWUDesKp0sDyq9wl\/qnK\/iaP4qknLwsMfEkvd24lrwL0JnOo2eK80vHLhCKIp2AiTqDI94jB8\/Q=="}
 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":106,"pkt_l4_len":86,"thread_ts_usec":1593498296833000,"pkt":"RQAAapbBAABAEXBACuYoqF5h4ZLy9AG7AFbkKub6zrABCEACR1YBz3h7AD4ztLOg+8\/NWUDesKp0sDyq9wl\/qnK\/iaP4qknLwsMfEkvd24lrwL0JnOo2eK80vHLhCKIp2AiTqDI94jB8\/Q=="}
-01660{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296836000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3572,"flow_dst_tot_l4_payload_len":18205,"midstream":0,"thread_ts_usec":1593498296836000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":1666.7,"max":3000,"stddev":942.8,"var":888888.8,"ent":1.4,"data": [1000,3000,1000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":708.5,"max":1280,"stddev":531.1,"var":282057.0,"ent":4.5,"data": [1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280]},"bins": {"c_to_s": [0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296836000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3572,"flow_dst_tot_l4_payload_len":18205,"midstream":0,"thread_ts_usec":1593498296836000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":1666.7,"max":3000,"stddev":942.8,"var":888888.8,"ent":1.4,"data": [1000,3000,1000]},"pktlen": {"min":60,"avg":708.5,"max":1280,"stddev":531.1,"var":282057.0,"ent":4.5,"data": [1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280]},"bins": {"c_to_s": [0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00938{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":353,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":43,"flow_dst_packets_processed":310,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498297033000,"flow_dst_last_pkt_time":1593498297036000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":11825,"flow_dst_tot_l4_payload_len":378781,"midstream":0,"thread_ts_usec":1593498297036000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00587{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":353,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","packets-captured":353,"packets-processed":353,"total-skipped-flows":0,"total-l4-payload-len":390606,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1593498297036000}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6055962 bytes
-~~ total memory freed........: 6055962 bytes
+~~ total memory allocated....: 6055958 bytes
+~~ total memory freed........: 6055958 bytes
 ~~ total allocations/frees...: 121859/121859
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 515 chars
diff --git a/test/results/quic-mvfst-27.pcapng.out b/test/results/quic-mvfst-27.pcapng.out
index 6f132ed1a..c7645b270 100644
--- a/test/results/quic-mvfst-27.pcapng.out
+++ b/test/results/quic-mvfst-27.pcapng.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046336 bytes
-~~ total memory freed........: 6046336 bytes
+~~ total memory allocated....: 6046332 bytes
+~~ total memory freed........: 6046332 bytes
 ~~ total allocations/frees...: 121528/121528
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/quic-mvfst-exp.pcap.out b/test/results/quic-mvfst-exp.pcap.out
index e47d37e7a..1217e006b 100644
--- a/test/results/quic-mvfst-exp.pcap.out
+++ b/test/results/quic-mvfst-exp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046629 bytes
-~~ total memory freed........: 6046629 bytes
+~~ total memory allocated....: 6046625 bytes
+~~ total memory freed........: 6046625 bytes
 ~~ total allocations/frees...: 121538/121538
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/quic-v2-01.pcapng.out b/test/results/quic-v2-01.pcapng.out
index d49fc8ee8..4184fedf4 100644
--- a/test/results/quic-v2-01.pcapng.out
+++ b/test/results/quic-v2-01.pcapng.out
@@ -5,7 +5,7 @@
 01472{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746209343,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1252,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1252,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1252,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643108746209343,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","quic": {"tls": {"version":"TLSv1.3","ja3":"c0ce40fbb78cbf86a14e6a38b26d6ede","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-34,hq-34,h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29,h3-30,hq-30,h3-28,hq-28,h3-27,hq-27,h3,hq-interop","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}}}}
 02195{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746211563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":1643108746211563,"pkt":"CgAnAAAACAAnfrFjCABFAgUAAoAAAEARgVPAqDjGwKg4ARFbhbUE7O7hnXCaUMQIS6wx1HkzRzII64iRQkuUIpwAQJyCVjJNuDCrTNqXXWMPn6Re4L7SYVwqGIQCQc\/4z9NyAaPCA1EjtACuJoZLCrSNpYRSybpCuKQ+WoUiUllNx92L2MPAGJw7utYFPv5OGHw1\/\/sWndgkLy8hp7pR69\/u09rZKcS+JfFwJmuIf\/ksSjGDUumn50Ay2Rd6o4XXl0HmsmbBIvWvgU6hASVdT4jxaoclAPsXX8CPP0up6Fe0cJpQxAhLrDHUeTNHMgjriJFCS5QinEQVHufFpgZs2aV6du2ZRQqQKDOjoGilHODVeRgnXJ5P7T\/zsZp32p1pLUsBPppTZZgXUGe0MYPRpYRLZP6S2YwCHKWU+l73n0JGtHauiFtNycThrlHgcsb8sk5tcvU6Y6ScYjaBJZo4SvzfNpo4yZWfBNk2UYHfihFbXoBagL8Ni3TJrQD045tOl+1YfuvN63veyZsQEZqEx0dBAmyVl+9xjvqkhzopKh+NpWRz5BIklAlUFmpNduMfQ3T20hAf9mJ3AOigASJmi6bsOzfT+fmMLLJFCGGvf7Vtj5E1FZRVn4fPJh6AHDI4r32EO9lBeOo\/bRxKO\/xtuNE4dXyQrhgsAmgYHZAjkPqRu\/l7804XDa5V8jNWzrthKJ47r2cSNRYsG+fH2fUAebN4YB+rihSsIZxpHY2QnwFGSwB6H7Skxg+Iph02BLynk+Iu8t78JbQQo03RTVad7a1H2K5yGJBnwMaDh8uWKRogMWzILW0GAvr6cB6rKtZvIB6iaFRtpW21wxF6FMiWghHWS2MMSMwh35jVZuDUmDisttokt9hNGZX0VcNuKmWidzlE8BvnwG5U\/lPWrVnAvZVmrZTmpKOyI5TR7nxh84GrxxCAx17MsDCnck39parnwVt\/QNJg4GreMjaXUUPTYWQryOwbG6s95MTEr3kfYLs4mW1uf0zDrci29F2sFu\/C\/HmqkFvZ0OOGC+62wGqGORW\/vlf01u6eGRup6wAte8fwWPF\/vwQLZV4\/zxpFUgF0tAqfKM3PO4Haxa9nHsPVZrUGZMlLFWcB4nBKG1NdoHQpFnsMhBc+wza2JrPisqt5PiVyJC6OvV\/cU7ww3Rc1ZbzC4jloEENrow5U5qEqSaBP1zNwYznCuMne7LwjmE8EnIma1wUrAiD9QtQZyRcWI2tpjtba1QsGHPmDL5TsbCiu5lRo6fKqxLAw32vAkyC76P1133lt7HXruzSBRhmkFpsQbeMtEt1sNBll1ZQMowIuN84gLLCcft+MTcp3i74\/r8i865o44mVqYEl+o8X\/pbSdpT9L6gLAevV9TpMYpr+mcHT0ieagX7Jnn35uw6zjOtQWRDf+XCisrr1nKY1EVNzop8RK6vKaPR4oivRBODylVd6kbG0JUHAnr0Ix4f91IhN0iE9wN0staG0WUiyWtw\/orMSuxqBfKKdgnMAvmqdZTtqpjXi4aDVPEGseUXFoRd2eIp1NKtyrFMTN8zew2FQfUM5ZPV+mLZOckS47BcCaj33vmjmNhp4PqOibtw4GGIkqKdtzvIDU5hpFJQe3oYXwcGYY3eEEzdtrD2Vx0tDP6Yxy6KvVsm5\/mMYXMhGZoUA1zlKEtVTTbazFot35oVX4ngIUMjLuaLnu+ZQA\/SsjZCeWQrKvnx2aQ0fMdg=="}
 01476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746211597,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":766,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":766,"pkt_l4_len":732,"thread_ts_usec":1643108746211597,"pkt":"CgAnAAAACAAnfrFjCABFAgLwAoEAAEARg2LAqDjGwKg4ARFbhbUC3F+UvXCaUMQIS6wx1HkzRzII64iRQkuUIpxBBHClZrSkXwcilginpQcYrC6+gYqStd9rEPJAVa\/X+ectxL4RSmYFqLCVrwpVh1cagxhOComdCEfuthVLRVGijz0VZq73gJfVJDTIt9AqzDxtaVsVpsxn9nkBr8pmVajuM19igvEhLOOlSEyBeUeB0DFdaZHW2\/JO3NISTHIWsZrZsFMVLd9gHsuxJ1cw3ZhmXfOm4UQbO0gsJiSVP1hEVffenYC7rMaAhCUYN9+RJxV5yNtMPMGyD3sgFiZTkHnxcTLuuCOpBBBkbts\/gMCM9IZChkDacnOh2OF9\/ohY3MEFlrim9kn0Lkww\/L7utDiRt6G4nl7rnCzjkcY3xLHSfS\/UQGApX0usMdR5M0cyG4HtNIk9Hu3yusEW1qJhexs\/jd2MFqPbzXoJkoBqBRJp9qv7uPIeaJrkQv0lZW4FoaNVZAxaKV+W4vwOyfLLLUAqbD+eP0q2akwmVXy9Y8QV3RpHIAEJdYstRBWUkoiGbfH\/tn+FdXpRyxXFod1a\/iZeqISyuYA2sKP1DJjEFrTzbkdHxX2JNiQQ2tZ+ApMfsQ0Q3QHD6f2C+xRLtvPcLqXP7RxXsRrD38p085fQ2lzG5FGYGgbhRGLwEvS2xYmIc5SWcIMn4zDkXXhhptIlqESYssWwykAjHZI2+hUtqOdrCizJkWiDODkpCMdaXGRR20dzaKQXdlriwcHLV5d1GvkCwMjcqS+C3ysNw8ltkxZbJAw3X1KjTK669DDz0zSittHV41nQk4SLHBtK3xCfytcsQ2Woqekdb3A1Hgo2e8QMTF4S4OsVjiekXWM847U9xQtRGGBIxOeuuzZN2uX3hL9UxceXknbMIBuTtD1iz9sd5bcqUQJpjX4\/iuJ0SwzD3dHw3Uy0h7w+q864l4fPWvhkeXfYvfcT+Icqi6TMXyciH2pSvVxaT4WJf32OcA=="}
-01913{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746213653,"flow_dst_last_pkt_time":1643108746213782,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3681,"flow_dst_tot_l4_payload_len":28445,"midstream":0,"thread_ts_usec":1643108746213782,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":282.2,"max":2611,"stddev":585.9,"var":343297.1,"ent":3.2,"data": [2220,34,85,2611,15,161,480,75,75,407,511,344,364,20,7,7,7,5,8,6,304,236,17,5,4,4,3,7,5,393,329,0]},"pktlen": {"min":97,"avg":1045.9,"max":1482,"stddev":592.8,"var":351417.0,"ent":4.7,"data": [1294,1294,766,1482,445,1482,225,97,97,481,97,97,225,1482,1482,1482,1482,1482,1482,1482,1482,97,1482,1482,1482,1482,1482,1482,1482,1482,97,1482]},"bins": {"c_to_s": [0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01911{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746213653,"flow_dst_last_pkt_time":1643108746213782,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3681,"flow_dst_tot_l4_payload_len":28445,"midstream":0,"thread_ts_usec":1643108746213782,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":282.2,"max":2611,"stddev":585.9,"var":343297.1,"ent":3.2,"data": [2220,34,85,2611,15,161,480,75,75,407,511,344,364,20,7,7,7,5,8,6,304,236,17,5,4,4,3,7,5,393,329]},"pktlen": {"min":97,"avg":1045.9,"max":1482,"stddev":592.8,"var":351417.0,"ent":4.7,"data": [1294,1294,766,1482,445,1482,225,97,97,481,97,97,225,1482,1482,1482,1482,1482,1482,1482,1482,97,1482,1482,1482,1482,1482,1482,1482,1482,97,1482]},"bins": {"c_to_s": [0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01164{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":923,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":889,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746226518,"flow_dst_last_pkt_time":1643108746226632,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":5301,"flow_dst_tot_l4_payload_len":1267919,"midstream":0,"thread_ts_usec":1643108746226632,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":923,"source":"quic-v2-01.pcapng","alias":"nDPId-test","packets-captured":923,"packets-processed":923,"total-skipped-flows":0,"total-l4-payload-len":1273220,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1643108746226632}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6072688 bytes
-~~ total memory freed........: 6072688 bytes
+~~ total memory allocated....: 6072684 bytes
+~~ total memory freed........: 6072684 bytes
 ~~ total allocations/frees...: 122431/122431
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/quic.pcap.out b/test/results/quic.pcap.out
index 0d3d59760..6afadfd7f 100644
--- a/test/results/quic.pcap.out
+++ b/test/results/quic.pcap.out
@@ -5,7 +5,7 @@
 00953{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155536815947,"flow_dst_last_pkt_time":1431155536815947,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431155536815947,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"mail.google.com","quic": {"user_agent":"beta Chrome\/43.0.2357.45"}}}
 01088{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1431155536861947,"flow_dst_last_pkt_time":1431155536815947,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":478,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":478,"pkt_l4_len":444,"thread_ts_usec":1431155536861947,"pkt":"ZHACjT05eJKcD6iOCABFAAHQHY9AAEARrNjAqAFt2DrUZeHpAbsBvNDyDbLeXfFPVUXrUTAyNAKdxuQD3gljSLhQUOfLRbUHNhGyhVA9b2u4w1RW9E4SCZCpycMJZccQCIwgTfygJ\/6u\/OxyXHQ8t9GsIUVpGN5BSEz\/EaopIjzG0oey+J14dhVaQT5clZ4hX2alMKUnKCpX2UHp8k4gIBE+BTaDbhx4sVltZ3YRbFd1slVBcwxCCDis9hGoXWyhcUU9TpSCvPXqyDIBYGsw8hGUNxjvWcC36dLiKPlQ1A++VHlkjzGxGsfgIrij15t0O6lgXxVbA\/HpW3G2ebAmsKraKCAnkkUtJl3AOI\/J2OljPOJ8ybsb8ihq0NT5yt7I6jw60az5CR6QV4lZS\/t+fQsKeKH0MrEQhH3b6f+BZUKI9uikSR4hfQxA8xYeMMFcn\/fjScjPTaUqPoQqgHKJPMZAaJaOIXR\/06t5\/mWN79wAQ5uIfj\/sSvnF2vA+Wg+Ct+7u2iMK\/1hOAY0\/EO0phnuWYuhnxN7rmjjYiKKpzjb+WYnzCHocgbS6q4u8VmchP8qd2Emms7CkStzYV\/CAUZKEnfSvajU\/RaVfjhz9giNrW3Dr5B1Mu7zIwMFBEg=="}
 02320{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1431155536861947,"flow_dst_last_pkt_time":1431155536876004,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1431155536876004,"pkt":"eJKcD6iOZHACjT05CABFAAVi+w8AADYRFcbYOtRlwKgBbQG74ekFTrySAAED7yXOnwe7pFDDfekcKJR3Jy2sqO+OrEMBkrmlA5460PLSsQWLxQP3oiY5d8U9vyThqGCVEM5n\/b30dAd2DjWMikTcCyMma2f07JhYHF3MMGVgNWOe6MGYINMPJ609w8TfRzFDXO2Hv3Rd+Io3\/xrzZn4oPs6zhHI1yq2C3Bu04kRZDHQePoRj30\/8HvjxNKB4JiKyE+zKdMREBQ3JOi\/Z6sOIMbX9akogkYpnl7ng6wuSDWdU0O6S17QqQ\/PZNbWcKj10ybS4iwVQA0f8amB7S9uZIaouXNiBUNnVoBkvwUNJHLfYTkO7Lcrh9\/y6VuU0sUqC5BwPmW+2ikCeMngUD1xHT1Lx5xcuKKpYgNXg5fiz8miFT9HCjdjO6B4AMX2tdmMxafKWE\/OE83wkxbiDjermaqDLFN43iZrsa77dngVKSa0JOoliFCpsBQc+8MPNJciywBt2F7RgKowH2h+9Qk9ORQtDAbuXMpSiJJWSUWGURbG9ZouMcFzy3aCPhH9WEaiDxSqv5bG1C+4++Ap3JmLZGydHT1SxVwfUUCxHryOH1SJLcVb8wYjogx1ZyV2hUKKGb\/LTkrzKQgQmaow0b30+zmXo8EqAqNi+pbkwMCjRuhbpSGWkDycL5nwxuP9Ml3fkw+Nua2MwUp0EfcBQbRU9wNgqxQ9uJseySfgLNd277XFk6kBsEbZHLkwoqVC16i6UXqO9Bq9Qa6OSE4HmTd0ZK\/TJwTkvyZH7HArDOO\/IcXlmUhCYygfBL2Q5ZpNExxrN9hs9fyUTlDAy\/fKVbi1DmTvb8UQ08IKIHR88Yq94i78i11E4Ck+d\/mt1HMNvsgPj2pD+djmLPe2eSTH37Jk2vmFRiqCOpbpsl49D\/VP3D6Iqy69k4ASDn2RRISJtJTG3B4eSG0UcIyl51iCsWhHCXqo+IYYFVP5DZZddk8U1w9uBnJXeOg1TXZTOMI0ol6bS146IgKA69vbLEVfalKBSuGdHvDKyOMSnLak5kQ2gF6fQS9y3naenu5fopH54EXjO3jjfmTVJmGvZC\/P1NiZtWEgaqDhB2DugL5t17Tc3VwmJfqg+3eAVYWabEKtkMdIl3iArLACUUBNCZz1HkomKYV+WYy79+d13Y8v1fzFaFyLLqqM4eyurBPDRG\/+y1oiSpL+pmxwnbgxI3utzVErOYH+5lhn82g\/+Ii+SkdpS0RH4VCbqV\/v0Y4Y5Od4xYJhouL7GcBe5gBVDLL2wvDGN\/2TxDwPjLE+A3+O2Fa4G5F\/+gjnrsB0wdiL\/ilvOHsRXVpnfbw+QbFdGjFQzBh00mHjlv+hyldAVX6DRrmAyZqfHl4R8DYS3AwjxssPWDwDtSUMlQQpikBERZ9MMlFb4xTKRR\/wBi8a8Irtzx\/kIza\/1v2NJPtS13JBH+AEVAHqIKkeVWhalz8eieG0tc75G2spbagtiyakNL\/rq+i0PePLukIW0MDDsvi7O7dn\/0fwGspoErTl6j3PKwj7+sTyyEqAVRQx1M7OB+kmMDRumZ6Ct9DotkVa72qOqLha\/8xxMPobKOFlHa3535yRdBIpdRmga9bEYopLGGzkYHAzAiGpiXAo7oYF9gbpS7a5ciOCtFbOspMqjc6us7YE1Fk9eZR8mOK3nE7WlV4miQCj5Ye\/jSzjCwJgC1JXYSzigmV7HoFUEa9032KRB3TfddhJ9qY+MTGbbTrJ2h+zE2tLE+GlMJ43i68EjkXl4FQgRWpuP1j6L9IzE9WrKG1pRl60aGD77YrqqhZeBKTB3VaLzjU5uW3RnvxwpEMU20qKXXlS1"}
-01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155545866860,"flow_dst_last_pkt_time":1431155545859249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4333,"flow_dst_tot_l4_payload_len":4661,"midstream":0,"thread_ts_usec":1431155545866860,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":583684.4,"max":3197585,"stddev":963931.8,"var":929164558336.0,"ent":3.4,"data": [46000,60057,14787,65380,2487,93393,168067,168088,622738,681338,42,58036,3119141,3197585,40,12,54064,25544,1951118,28580,2034695,28303,25,7,56884,470823,496378,2190158,2289756,44685,126004,0]},"pktlen": {"min":61,"avg":323.1,"max":1392,"stddev":382.9,"var":146578.8,"ent":4.2,"data": [1392,478,1392,79,74,725,82,725,79,214,508,70,82,194,170,69,101,82,79,255,163,77,71,240,61,88,215,79,1190,77,758,469]},"bins": {"c_to_s": [0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
+01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155545866860,"flow_dst_last_pkt_time":1431155545859249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4333,"flow_dst_tot_l4_payload_len":4661,"midstream":0,"thread_ts_usec":1431155545866860,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":583684.4,"max":3197585,"stddev":963931.8,"var":929164558336.0,"ent":3.4,"data": [46000,60057,14787,65380,2487,93393,168067,168088,622738,681338,42,58036,3119141,3197585,40,12,54064,25544,1951118,28580,2034695,28303,25,7,56884,470823,496378,2190158,2289756,44685,126004]},"pktlen": {"min":61,"avg":323.1,"max":1392,"stddev":382.9,"var":146578.8,"ent":4.2,"data": [1392,478,1392,79,74,725,82,725,79,214,508,70,82,194,170,69,101,82,79,255,163,77,71,240,61,88,215,79,1190,77,758,469]},"bins": {"c_to_s": [0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00558{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","packets-captured":414,"packets-processed":413,"total-skipped-flows":0,"total-l4-payload-len":237528,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1461850699450756}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1461850699450756,"flow_src_last_pkt_time":1461850699450756,"flow_dst_last_pkt_time":1461850699450756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1461850699450756,"l3_proto":"ip4","src_ip":"10.0.0.4","dst_ip":"10.0.0.3","src_port":40134,"dst_port":6121,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 02297{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1461850699450756,"flow_dst_last_pkt_time":1461850699450756,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1461850699450756,"pkt":"OGO7P47K7LHXhMJyCABFAAViImxAAEAR\/xgKAAAECgAAA5zGF+kFThlmCfresOVX5pKgUTAzMwHak8zsp30I9q698IIAoAEUBUNITE8NAAAAUEFEAEwEAABWRVIAUAQAAENDUwBgBAAATVNQQ2QEAABQRE1EaAQAAElDU0xsBAAAQ1RJTXQEAABOT05QlAQAAFNDTFOYBAAAQ1NDVJgEAABDT1BUnAQAAENGQ1egBAAAU0ZDV6QEAAAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLVEwMzN7Junn5Fxx\/wHogWCSkhroZAAAAFg1MDlYAgAASxIiVwAAAADS+1vXZRZzJ1+rqmPJtznpSW1g7BCg2rfC01sXLNMkHQEAAABGSVhEAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
@@ -54,7 +54,7 @@
 00960{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075953299562,"flow_dst_last_pkt_time":1463075953299562,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463075953299562,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","quic": {"user_agent":"Chrome\/50.0.2661.102 Linux x86_64"}}}
 00960{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":451,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1463075953300127,"flow_dst_last_pkt_time":1463075953299562,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":387,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":387,"pkt_l4_len":353,"thread_ts_usec":1463075953300127,"pkt":"6HTmLPTkABlmWmaMCABFAAF1aTxAAEARYx3AqAFt2DrSzomkAbsBYbFkDby767UFbXetUTAzMAIyT2zFCwKRbjpW5pKGcwa\/zOYtI4ibM\/DXTo+3hM8QHjQop2VE57N\/4px1Dr2rh1Of6fuprsXKXOLDTQHDMOztLE0ibzNUs5cviwMINA8HUKs1w\/8wSCAJg+c5E0s64vzHKdQ5N4AY1I+whZj+YXv7QX9bQtyBCP0WJRsK41puLJyY\/5rYf1WXDzsnCxRRei33WDvMsb+MNKppe2kXK4Q1DqzsKviobjh+ZnTmMaJFKxfjljXwNv0dsW2Nhjh9NEpVNdRUHHe+L\/umz5nJPSc8m3xsZrs27PfAfYs3O4DQT7zrN+rUD1tvAlM6ojpuYBXQUKIqFg6jkPkLtz0lnT5ofUC3bxq1J8gFqtExK3aj\/kH0as9Y1tYZiRMdgBmqLNq1Ru6unJsdETbKAQha1+Pgo4qtxiVVhohC7TEjAQj3UwwRrwKowX6bUvpY"}
 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":452,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1463075953300127,"flow_dst_last_pkt_time":1463075953334920,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1463075953334920,"pkt":"ABlmWmaM6HTmLPTkCABFAAViGxkAADQR+VPYOtLOwKgBbQG7iaQFTgWwDLy767UFbXetARhGCjp5JYP2NRSCDQGAAVJFSgAHAAAAU1RLADwAAABTTk8AdAAAAFBST0a7AAAAU0NGR04BAABSUkVKUgEAAENTQ1RGAgAAQ1JU\/xIGAAAt19AYB5aaMKurHRM81LpDG06F1\/HgjIAXnLSYHoaRDG+YCx4gYrs3k43pE\/W5utsyegd0CLIV4fasqoZkRpVLMtnpS+sIRqrbfvgjIL2IUeZTlSGu\/7+bU4Z+Ij1vgEEcToZ\/00OYAYgC+05liNl+ov97hTBFAiBs6kS1HuLjC8x7gQEfBCOAowmjvDZU885lgtcWaGEy0QIhAPm+1mJq5QK6WHRPaEUwOfyND\/8ufeGnt66391Aj9lqnU0NGRwcAAABBRUFECAAAAFNDSUQYAAAAUERNRBwAAABQVUJTPwAAAEtFWFNDAAAAT0JJVEsAAABFWFBZUwAAAEFFU0dDQzIwWGClOjtYNIHfmiHJ0bGFX0NISUQgAACup8alaVf8gP6KOzle5pjmXvoOKgb+N2LRgB5dcX8Ka0MyNTUSxc3dEjis6kATN1cAAAAADQAAAADyAHcA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo\/csAAAFUe1HMJwAABAMASDBGAiEAqHfzHEY9KN1QjXeaiZlcHt6ybhyDsnLIoo6e82Zg73ACIQCveMl0OwuTrVY5LqDcb5TIihLD6ZAJQlUDU68E5\/BK6AB3AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABVHtRyfMAAAQDAEgwRgIhAMWc6riI2T4lmoQuPyvTrFTQuoCnh6VaWJBNwHgCZloKAiEAiHJhhSnJcrUXaDEZQLClSBLKToA3CEOVFu+IPvrOhh4BAwHogWCSkhroAwAAAAN7Junn5Fxx\/wAAAAAA\/wYAAHi7c1AtxPvNxgAsudi+GzSx3oe04Tic2NatWf922kf0hhwVG1mgwsAMmIdMgPkF1p4zMDcyN7AwtgR1otKwWsXBw+UMTDdp+UV5mYmwBMnOw+ubX5pXAkpdYZmp5XB38SC7S9RAGOwuHh4tYJiChMGRGwkUZgf68ZwtsPnBAWYwM7IzOzGwvF91fdMNT2Ud1a7MlSledVlybaZOW\/IT25eYrq8qUp7OLmq33YHB9tcRfpb4rOn2rfYyM5bOl9xpdepuGi\/LiYsHpi9uYuk3aGLpJlSANTGD+wiCLE3MrkCOYxOKA5t4tfQS81KK8jPBDZ4mMSC3oCA1Lz0zLxVZmZCWXnJOfmkKspgYzCDdxLzEnMqSzORisDg3woJEZE5OEx+S1XqZeaj8rAJUfml2Ez+yU\/USi9AFStEEktBVJOejCeRWoAmUoGspy0Nyc0oqEie1GImTVoTEyShF4mSWIHHycpA4BSicElCgQjiJKcAiABJ4cMdARPKaRGACQNncVGCLAqxMECZalpmSmg8WAsVrcQmwYEwGaeNF4gEluYDcshJDJLYRmA00PTe1pAioClk10Chg2yUjE1xANQmAeDloMV+ZX1pSmpSqm5efnJ+fnQlPTFBxNGWpKaWQKhyWQICpJTcdzJGCJ7+czNS8kmJke7iRkyYLSH0TG1Aa2MZpEsGa9LiQkyyWYONC8hYXuGiGmMYBdqdeEjC6kT0ggs35SA0q9gaDDKRiOQZYsGgjFbjy0DKwIDsTyVf67p6O7kbgElUbqQyHKYYGgyGyDlC5jtTI273NV8E2Yd+C1ye2dnFOb2eeVW6ug9bQQS6rsfaMFCEtB2DVhdYd4WBjS2\/kARbTBgaQ"}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075954259331,"flow_dst_last_pkt_time":1463075954259852,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3706,"flow_dst_tot_l4_payload_len":22849,"midstream":0,"thread_ts_usec":1463075954259852,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":61937.4,"max":828641,"stddev":198595.2,"var":39440068608.0,"ent":2.0,"data": [565,35358,43,40485,132,24017,25957,16828,62,532,35459,51659,446,11,26638,25576,828641,25,803246,620,371,204,811,210,360,238,291,204,540,286,244,0]},"pktlen": {"min":75,"avg":871.8,"max":1392,"stddev":620.8,"var":385421.5,"ent":4.5,"data": [1392,387,1392,1392,1392,383,79,82,1392,75,75,85,1392,1392,1188,82,79,1392,1392,82,1392,1392,1392,82,1392,82,1392,1392,1392,82,1392,1392]},"bins": {"c_to_s": [0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075954259331,"flow_dst_last_pkt_time":1463075954259852,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3706,"flow_dst_tot_l4_payload_len":22849,"midstream":0,"thread_ts_usec":1463075954259852,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":61937.4,"max":828641,"stddev":198595.2,"var":39440068608.0,"ent":2.0,"data": [565,35358,43,40485,132,24017,25957,16828,62,532,35459,51659,446,11,26638,25576,828641,25,803246,620,371,204,811,210,360,238,291,204,540,286,244]},"pktlen": {"min":75,"avg":871.8,"max":1392,"stddev":620.8,"var":385421.5,"ent":4.5,"data": [1392,387,1392,1392,1392,383,79,82,1392,75,75,85,1392,1392,1188,82,79,1392,1392,82,1392,1392,1392,82,1392,82,1392,1392,1392,82,1392,1392]},"bins": {"c_to_s": [0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00917{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1463060980356958,"flow_src_last_pkt_time":1463060980457563,"flow_dst_last_pkt_time":1463060980449085,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":2740,"flow_dst_tot_l4_payload_len":2737,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00868{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1463060980313862,"flow_src_last_pkt_time":1463060980404996,"flow_dst_last_pkt_time":1463060980377579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":81,"flow_src_tot_l4_payload_len":157,"flow_dst_tot_l4_payload_len":81,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Google","proto_id":"126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00758{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1463060980313862,"flow_src_last_pkt_time":1463060980404996,"flow_dst_last_pkt_time":1463060980377579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":81,"flow_src_tot_l4_payload_len":157,"flow_dst_tot_l4_payload_len":81,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -73,8 +73,8 @@
 ~~ total active/idle flows...: 10/10
 ~~ total timeout flows.......: 1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6065576 bytes
-~~ total memory freed........: 6065576 bytes
+~~ total memory allocated....: 6065536 bytes
+~~ total memory freed........: 6065536 bytes
 ~~ total allocations/frees...: 122103/122103
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/quic046.pcap.out b/test/results/quic046.pcap.out
index d626b1c70..56994ffa7 100644
--- a/test/results/quic046.pcap.out
+++ b/test/results/quic046.pcap.out
@@ -5,7 +5,7 @@
 00969{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191933380,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1584456191933380,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","quic": {"user_agent":"Chrome\/80.0.3987.132 Windows NT 6.3; Win64; x64"}}}
 01213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1584456191934367,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":574,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":574,"pkt_l4_len":540,"thread_ts_usec":1584456191934367,"pkt":"ILABHGh4AJqdnpsZCABFAAIwVxBAAIAROIfAqAHs2DrOVsWbAbsCHCGo01EwNDZQtKT59fQu3TkAAAAChrDGo43cDq7OAgdbv23GehH0jM01fB5SqCBHGsm4tNDoSAuylkVeyVU1nO51BVLZDdQpzNO9j8lf2o\/kFvxF1keBb1V8bWQbm4GDCTzD9DJbwk6JCzbiEHbQt2\/y4DufAauHa+qhpg6F7I1VBRA5chHzaHSfbKq18eEDQ2D7fby9uiPXDB6cfTGjCACXfFYXGo9zhyaFNtzZv4x3bPv04LGnwloRH845hLIF6d5Y+oKP0inx4RVaOxEjSkSubSvYLun8u1+DAfAvr3DdmGZRAp60H0VhNkgFDR0TK1bvdtwD\/6cndHRtyUINoQIRApDi1wb1MmCAOOvL7steTPHXY5nIkaq4iXTy+WyGwwX1EiuR+wqkWZoB8nUqj3ZqApzNfexl+c7aCawPzdHT3P5zDq7dSyz1wAkXCTveL49FopZWy\/uuB+P5RJbaGpw3CvzBYR4o98uBght36oYbWpopqUw9u0okr+r3kEm4Q75LZzqLS97VgZsNPml00CwyHuDEnhiPWf19O4H99TJdYurnXZ+SQi1Zt2RI1GgBrEOAj7V7V\/6W2VgqcYkPqL1UO6lW\/zp\/K8LZMma1gVsHh4jJ1oXnE7Qjtqi9Um0bkNgFqZBX1s4cYf2FTDL0Lgyu2DOK3ATmX6nv91Qh9\/msYcWCN59XOhhsFRlmXSuc2N2TzOTtWg=="}
 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1584456191934926,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":128,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":128,"pkt_l4_len":94,"thread_ts_usec":1584456191934926,"pkt":"ILABHGh4AJqdnpsZCABFAAByVxFAAIAROkTAqAHs2DrOVsWbAbsAXuOl01EwNDZQtKT59fQu3TkAAAADQ7oFqOGvWa6mhIUAfFpbpAofPEreEA\/GGklYOasxEedYwPIHZE9zXMBgbnX+9bPuSN5MQzRW31QsSe2iJHxiKYqGbP8="}
-01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191967570,"flow_dst_last_pkt_time":1584456191967633,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4485,"flow_dst_tot_l4_payload_len":23197,"midstream":0,"thread_ts_usec":1584456191967633,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":176,"avg":2207.8,"max":29469,"stddev":6263.4,"var":39229868.0,"ent":2.6,"data": [987,559,560,557,592,573,584,606,710,21225,29469,423,216,240,242,250,248,254,253,253,237,265,240,242,256,252,6530,176,509,707,228,0]},"pktlen": {"min":62,"avg":907.1,"max":1392,"stddev":591.6,"var":350034.9,"ent":4.6,"data": [1392,574,128,201,199,199,200,199,205,202,1392,1392,269,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,70,62,1392,70,1392]},"bins": {"c_to_s": [2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191967570,"flow_dst_last_pkt_time":1584456191967633,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4485,"flow_dst_tot_l4_payload_len":23197,"midstream":0,"thread_ts_usec":1584456191967633,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":176,"avg":2207.8,"max":29469,"stddev":6263.4,"var":39229868.0,"ent":2.6,"data": [987,559,560,557,592,573,584,606,710,21225,29469,423,216,240,242,250,248,254,253,253,237,265,240,242,256,252,6530,176,509,707,228]},"pktlen": {"min":62,"avg":907.1,"max":1392,"stddev":591.6,"var":350034.9,"ent":4.6,"data": [1392,574,128,201,199,199,200,199,205,202,1392,1392,269,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,70,62,1392,70,1392]},"bins": {"c_to_s": [2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00918{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":63,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191984839,"flow_dst_last_pkt_time":1584456191986142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":5170,"flow_dst_tot_l4_payload_len":81927,"midstream":0,"thread_ts_usec":1584456191986142,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"quic046.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":87097,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1584456191986142}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038593 bytes
-~~ total memory freed........: 6038593 bytes
+~~ total memory allocated....: 6038589 bytes
+~~ total memory freed........: 6038589 bytes
 ~~ total allocations/frees...: 121588/121588
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/quic_0RTT.pcap.out b/test/results/quic_0RTT.pcap.out
index fb0a9b254..2b22870a8 100644
--- a/test/results/quic_0RTT.pcap.out
+++ b/test/results/quic_0RTT.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6061121 bytes
-~~ total memory freed........: 6061121 bytes
+~~ total memory allocated....: 6061113 bytes
+~~ total memory freed........: 6061113 bytes
 ~~ total allocations/frees...: 121558/121558
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/quic_crypto_aes_auth_size.pcap.out b/test/results/quic_crypto_aes_auth_size.pcap.out
index 5af64a4c2..d2da7a22e 100644
--- a/test/results/quic_crypto_aes_auth_size.pcap.out
+++ b/test/results/quic_crypto_aes_auth_size.pcap.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6062271 bytes
-~~ total memory freed........: 6062271 bytes
+~~ total memory allocated....: 6062263 bytes
+~~ total memory freed........: 6062263 bytes
 ~~ total allocations/frees...: 121543/121543
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 510 chars
diff --git a/test/results/quic_frags_ch_in_multiple_packets.pcapng.out b/test/results/quic_frags_ch_in_multiple_packets.pcapng.out
index ac8aa344a..e8e5c6bd7 100644
--- a/test/results/quic_frags_ch_in_multiple_packets.pcapng.out
+++ b/test/results/quic_frags_ch_in_multiple_packets.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6060675 bytes
-~~ total memory freed........: 6060675 bytes
+~~ total memory allocated....: 6060671 bytes
+~~ total memory freed........: 6060671 bytes
 ~~ total allocations/frees...: 121533/121533
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 520 chars
diff --git a/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out b/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out
index 385000137..46148c25f 100644
--- a/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out
+++ b/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out
@@ -655,8 +655,8 @@
 ~~ total active/idle flows...: 113/113
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7914854 bytes
-~~ total memory freed........: 7914854 bytes
+~~ total memory allocated....: 7914402 bytes
+~~ total memory freed........: 7914402 bytes
 ~~ total allocations/frees...: 125494/125494
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 535 chars
diff --git a/test/results/quic_interop_V.pcapng.out b/test/results/quic_interop_V.pcapng.out
index 2e8594e55..d57081bcf 100644
--- a/test/results/quic_interop_V.pcapng.out
+++ b/test/results/quic_interop_V.pcapng.out
@@ -406,8 +406,8 @@
 ~~ total active/idle flows...: 77/77
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6806347 bytes
-~~ total memory freed........: 6806347 bytes
+~~ total memory allocated....: 6806039 bytes
+~~ total memory freed........: 6806039 bytes
 ~~ total allocations/frees...: 123822/123822
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
diff --git a/test/results/quic_q39.pcap.out b/test/results/quic_q39.pcap.out
index e64d4adc4..4eaad5ea0 100644
--- a/test/results/quic_q39.pcap.out
+++ b/test/results/quic_q39.pcap.out
@@ -5,7 +5,7 @@
 00972{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509098995610775,"flow_dst_last_pkt_time":1509098995610775,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1509098995610775,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"s.youtube.com","quic": {"user_agent":"com.google.android.youtube Cronet\/63.0.3223.7"}}}
 02038{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1509098995619706,"flow_dst_last_pkt_time":1509098995610775,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1174,"pkt_l4_len":1140,"thread_ts_usec":1509098995619706,"pkt":"AAAAPJ7rSEb7OSWDCABFAASIpypAAD8RBxGq2BDRFZ2345bcAbsEdFQcDeca1dd1bE1NUTAzOQJfXHZ4r4NHY5hNEdjLP+5ayCAfN4aRrJwcGbvr9Ig30\/shURCI87o6EE5x2r0qaxNPy9ijcArYvwm83T\/uUNOwvPrQL1kQ63P7NcdMjvNaDrlFf0DGfuOc7NBPTTXBkaePu98lEtAf3wsOApXg5IhtfmWdfKrgEpCXWFWsxttw6C4\/lCwJqkUGaOjHW5OhnY9r8qCDBdkX4XN\/4WmFW6nWq\/XYAKSy+w3zKPd0+LJKlxsYwrzgGV2rjQwmb93iv1FFvCzNy4lqNoUoMblenytDJV5TJvGYH4s+\/7AX7HDhbJj+lIeaRA3g7dV3H3kgoU\/SpbsdOzy0YVY6Bp9yZermraiyHURn7bAotygD2Vp7YwNcdNEG9BU3funEay5GDjyBK1j66ZDJgNXirLZjzse1+VcJnT0WzMubicwvU30jDw+McSt9Bti6\/gP9FAz9\/lD31IeL8vackSc4lx75mviO5HS6BA\/NqsjQ9B8m4Ji2diYR80xUpIbgdFQiU+oifhm6+LGlaffXf5zfdWBFidIfld\/b7JT3SCK0xn1oi2TKxI8Oroqc4ijms7JGelhl0fef2CpmP0WCIT2YgyU6YwvWa1W7lII+N1ZbTeUAByGqF1QhTf5cSKd79GJRi+dbNY7B3Wj4KJv9v8GAF7TKwPiEZdDEpbOPHL\/FjvVpM04y5hU8HR+06oyFgTK1\/6hdbKNXNH9cJjr2nmUmezntPWc2AFfXM+e\/7E1fv7zcT4Kq1YOLXr9\/RjJvDNQoj81czTWLgfREm6KUrj\/r6fSbFJFnhuScfBlR9k2Pc7b3lIEZb0KXGhxHCyB1J7D8gUoqDhJYFGV+VkGVNhJpozvYPJ8ykH\/Y41HD8nsSDL9iDj9URAxCKHefDlX7Pwz6OhBfkcIZAyY3zG\/w9rr4x0Pl7U6qcsdZ1MBpDJ9qjugA+Tt8C4JpvLxNAR0kx92LyFnt3BYr58WDPwTbktI01oxzKDO5QfY46azjmnqJ+Or2LI93bDxwCMYKsLGAmehhGKZad4Iy8CQig4MBQDG0NMhHKAI6+BaplljmUnDnEalyg57\/03tWWLR4CQIYoKQ9N\/\/fDmFtkFJjraB0A767qxG7Cy8Linc3qzCa86538v6kM371bSCg\/XlL+EWzVEgq8MNOp+Kf2xPBIqWXFiVMGJ1GcpQwm6iQItRpY+85J5+RUK5X+3OW5ex3EYIjJUr+g2x3sFkDiuAsaRHgrjj6WnNpOZnghw1uaYp+E3H8VPrRSwSKqch7lieJx+ojtBtD\/W9etVSxGJeGD7lz+4wIhuht4d\/jcmgefkRDKcrraaR9azCKs\/kbJ\/PpVxbRsVvTZyAXgG+ABf\/0Dt+UshFkLro\/tuKww4FrErwElInQ+88Azyk3w8tcu1AYrDqSPj2BvjSRVwl0PO7TtbVWqgcuYET3exljbs22Rr5eyEoiPXhNZMDC79zLn441b43FrUKvwSHTJR\/j33VYKbaP4oVCvb26Vw=="}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1509098995619706,"flow_dst_last_pkt_time":1509098995647453,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1509098995647453,"pkt":"AAAAPJ7rSEb7OSWDCABFAAA\/AABAADgRuYQVnbfjqtgQ0QG7ltwAKyQ\/COca1dd1bE1NATKbKH1UbNEn\/TIU5EABJEsBAQAAAAANBgA="}
-01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099004752497,"flow_dst_last_pkt_time":1509099004382425,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":14377,"flow_dst_tot_l4_payload_len":2074,"midstream":0,"thread_ts_usec":1509099004752497,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":577850.7,"max":6514643,"stddev":1531988.4,"var":2346988339200.0,"ent":2.7,"data": [8931,36678,89781,7,404130,1367,298294,119221,31,434781,6185342,12819,6514643,11351,11378,22730,702601,702694,435266,435159,11351,11442,16019,15861,397203,9235,397732,33897,93428,52,499948,0]},"pktlen": {"min":60,"avg":556.2,"max":1392,"stddev":603.7,"var":364512.4,"ent":4.1,"data": [1392,1174,77,1392,73,83,83,72,305,60,83,270,1392,78,1392,1392,75,1392,74,1392,76,1392,76,1392,76,1392,730,76,76,104,60,98]},"bins": {"c_to_s": [0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099004752497,"flow_dst_last_pkt_time":1509099004382425,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":14377,"flow_dst_tot_l4_payload_len":2074,"midstream":0,"thread_ts_usec":1509099004752497,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":577850.7,"max":6514643,"stddev":1531988.4,"var":2346988339200.0,"ent":2.7,"data": [8931,36678,89781,7,404130,1367,298294,119221,31,434781,6185342,12819,6514643,11351,11378,22730,702601,702694,435266,435159,11351,11442,16019,15861,397203,9235,397732,33897,93428,52,499948]},"pktlen": {"min":60,"avg":556.2,"max":1392,"stddev":603.7,"var":364512.4,"ent":4.1,"data": [1392,1174,77,1392,73,83,83,72,305,60,83,270,1392,78,1392,1392,75,1392,74,1392,76,1392,76,1392,76,1392,730,76,76,104,60,98]},"bins": {"c_to_s": [0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00920{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":33,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099044522763,"flow_dst_last_pkt_time":1509099044559423,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18965,"flow_dst_tot_l4_payload_len":2686,"midstream":0,"thread_ts_usec":1509099044559423,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":60,"source":"quic_q39.pcap","alias":"nDPId-test","packets-captured":60,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":21651,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1509099044559423}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037431 bytes
-~~ total memory freed........: 6037431 bytes
+~~ total memory allocated....: 6037427 bytes
+~~ total memory freed........: 6037427 bytes
 ~~ total allocations/frees...: 121548/121548
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/quic_q43.pcap.out b/test/results/quic_q43.pcap.out
index 5e3f07100..71b1d2eb8 100644
--- a/test/results/quic_q43.pcap.out
+++ b/test/results/quic_q43.pcap.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035703 bytes
-~~ total memory freed........: 6035703 bytes
+~~ total memory allocated....: 6035699 bytes
+~~ total memory freed........: 6035699 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/quic_q46.pcap.out b/test/results/quic_q46.pcap.out
index ee0425c16..8e47a0dca 100644
--- a/test/results/quic_q46.pcap.out
+++ b/test/results/quic_q46.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036269 bytes
-~~ total memory freed........: 6036269 bytes
+~~ total memory allocated....: 6036265 bytes
+~~ total memory freed........: 6036265 bytes
 ~~ total allocations/frees...: 121508/121508
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/quic_q46_b.pcap.out b/test/results/quic_q46_b.pcap.out
index 0eb13a080..ad660f745 100644
--- a/test/results/quic_q46_b.pcap.out
+++ b/test/results/quic_q46_b.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036271 bytes
-~~ total memory freed........: 6036271 bytes
+~~ total memory allocated....: 6036267 bytes
+~~ total memory freed........: 6036267 bytes
 ~~ total allocations/frees...: 121508/121508
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/quic_q50.pcap.out b/test/results/quic_q50.pcap.out
index 2fa9c61fb..0d4c6c832 100644
--- a/test/results/quic_q50.pcap.out
+++ b/test/results/quic_q50.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046586 bytes
-~~ total memory freed........: 6046586 bytes
+~~ total memory allocated....: 6046582 bytes
+~~ total memory freed........: 6046582 bytes
 ~~ total allocations/frees...: 121527/121527
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/quic_t50.pcap.out b/test/results/quic_t50.pcap.out
index ab79f76e1..c67c474f3 100644
--- a/test/results/quic_t50.pcap.out
+++ b/test/results/quic_t50.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046373 bytes
-~~ total memory freed........: 6046373 bytes
+~~ total memory allocated....: 6046369 bytes
+~~ total memory freed........: 6046369 bytes
 ~~ total allocations/frees...: 121521/121521
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/quic_t51.pcap.out b/test/results/quic_t51.pcap.out
index 59fd1d0d3..f7b96d09d 100644
--- a/test/results/quic_t51.pcap.out
+++ b/test/results/quic_t51.pcap.out
@@ -5,7 +5,7 @@
 01167{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620434413428,"flow_dst_last_pkt_time":1598620434413428,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1598620434413428,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","quic": {"user_agent":"dev Chrome\/86.0.4240.9 Windows NT 6.1; Win64; x64","tls": {"version":"TLSv1.3","ja3":"92e76078d514999cd950474995dab2b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-T051","tls_supported_versions":"TLSv1.3"}}}}
 02325{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1598620434413428,"flow_dst_last_pkt_time":1598620434419300,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1598620434419300,"pkt":"AAAAAAAAAAIA\/tPQCABFAAViAABAADcRkr3T95Nau+OImAG72DwFTvx1wFQwNTEACP+UFbWwBYYNAEU0cA7ob5DRu6SNsqDMEz7qri8UnfijZV8Hhw\/oxky0x+Zt0s6erWm7kWn2+1owrYTdI9p89OpW\/6ptpwv9v0J5BjJyyLuuQ7qMgzGXDs2ur++juUsUpOdkAs5K5BYVfQAmPmXEGyVgmyCeUg1T7Vj6FslmnDV909IngQqr2X3bAL3as4fB8O0bAq64I2nnjXRSsXtOF+WecFDOIkhsUozc+8M2nJh6kczAN6BO7Q6B24T4pTF7f\/SWotAh0wmioZGWvmsK3tbjrCGONmSc7G6EA+eCMtEUY\/yq8VyKOSmIHald\/L7JGCPyNYCQuoSWiWNaW\/I+iZ2Tm83YJ0ULZZc8urwFDYH3aj1AkglwflqENARW1+\/0Wgf8CdNT18FiabAis+X7vPL\/K0rfVmIy72rlRNRfOG7y7nzx1KwQOQc8aCVF3CWYU+Lmd10cKRMsTRDen+t7CfJT6D6czKmRS9zHy8defw2VL+sr4ea6knMol1lydS5om9MxXCYpqegXuWZiFTSbzJvhE4RaqOqWqlC3CyDO4ySp0wcYRr6Xiz\/ypHsBLBgujZNocUdxB92srmLhWvU+EKXNqnvn4sN9tP\/B4VI81UNJfpKqafd5TbC3xVerPG2FpOE4rg1k2rQi9r6v1+PQ\/d3R0LlFcbJ1hI9fgnNKZUfeIejFNzw84ZCPAGKEZF9DRij\/q7+ynKTHsKprl5SyrzqmDatgR6jPni4YdUIipVxz2xAMDSfgGHJudxWet0g70XvUgRUnZwnINCVHKug\/Cwaar4s1XCM8uhzoEef40bHIf\/1cPPikcn5BGvUj0yq5vKOgKlUAn1Pgd3RmxD4udRVK4hr3Qq2qz0yzGHjPkF5V31PdO+LbljCDil0atM9nNzYRQDTxXIy4ROBhbRF0GC5xxy\/5G1Z3EVEXnUgV7cKAoSoRYsJk+ehBddHi\/2\/aZLTP9GUgaj03e1ZAUqg\/pLbgzkOggtkBYwlEystem00J3RiW59azSXPWDzpQD37GvUqWpvchJjuAPROhp0eQOeyP6Sm5m8Ha1f9MDT\/mDWqN\/iBuFORPOJebKiYDmtBTotFqfXW1txgynw6EHUJzSE+pl4MdTTWGiKeLLjK6VcgkjK3QCvZi2YAV34jHwjHZGw2P\/U6KrMCfYoKLgcta7eGwEJgt1TEOATVA86YdSNrUK8Cm6qplxo7u2vCTdHfHERZHXlWiV5V+M6yg8jJ+w71hYe+9QRnWDWxxhFwqS3Rom5NgfL3qyZPAg7B0TvVcGC3k1t2hVxdIBJT1YLB9P8xcq205KojLAkrnJ6A03YtC2cE+\/GfTI6rrSdcn22uQHH1uwQgPFlvo5F8SRGnmtqbBCoQkhDA10opFpEUHAKVRysF1xT\/NgfiMQHD+An4IrPRfuv9gDg0rUkwJww22wh5gLlRkZ\/Syy5BClTzH9Eje2q1QlkG4NyNIdxlgTeTWfrV+owYm4Q+FXDFSqiziTTjYt929oBaNekN7DaLZNKBHzE9aRpnZjKaGJOIkilbSRnfMsOP+KhOdyxkYqJB7lgyVuE7zA+Cs6QfiNfeFBdysqGJcMLaCJe1XQZYseYZCHv9I1fYRd7rHJDJ5TLxG9ZoKBvyy9qAFruCnQdJM3kRJUF0ZdxtTsL1YtSrJYqn3hcGRfsN64Wu2ioNCdgwzJ\/IOr225URP0O\/yfvAjNTo393KgekGIplrSAr2vqB7j6oyQmlBJgPRuYDzTKmIMBKNHRY+Gk4U31TV\/ldcN5g5htDYX20DA3i7tEfKzfbUYY"}
 02326{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1598620434482713,"flow_dst_last_pkt_time":1598620434419300,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1598620434482713,"pkt":"AAAAAAAAAAgAH83gCABFAAViXl9AAH8R7F2744iY0\/eTWtg8AbsFTtamzVQwNTEI\/5QVtbAFhg0AAEU0KsIg8w2st8fMy25uq6gsPA7KRO4wWARaQxn0e+nvMAG\/ncVOK2\/1iV8zM1GT+gj2yfRnYitTLViCwPF0TV0R7p64xnLqwrHTiNaW89JgMAHQze00LP7FiTbOvqpo5S+7AzCO4J36LH8gasnIPNye5ytyGP9hxarM0Gwv6wB1BKIgh6Hfi9vN\/Jaq\/hKaWtnsFyqFx21T1U0YmQzCOhcYGHZNHNGEmxqlfOiET0cy7A2zooythTNQBScefWz4fyugA0KO5z5EPbOCuLPnOhJ8u0jAA5snZ9Av4lfTCNurCTo\/b96gqEMXFCAN6kklskS6mSW1P2yxo93FRN9w3VFPyMe8m7WnAxPUMrijM3bZFrpYXz6N3LoSvj\/7t1mbaz3Ew6W7CCET2\/vUPuty0yYuKN9hlZRGZDAOI7p7UV84zBa3MKUoIB90BBwtqXlv\/AcyfRFhSrAf1TPDIen8IRojBr5qTqwwDIcvMREVIsmeXYDDAIh87njz+3l6UiC0r72z0Vz8KlwPmvyd1tNbK4UoVu5yliqV7BzHAT0P+flRjAVL+Vtw\/1eTO0KLmizThDqycqyAF1MjS6cC4BRlgBDuBvC7oqizuHTk4JOICP+TLa71t9U0MO4SvptmKRFy9UA159ziHHDRbAhIzzVEm+HGxTjT93PUzlkT4beWAgYYW5swcH8m2E+qX\/jfh4l+RAJ7s1FC99eqQD\/G2qHKz49sTvtw3eknSSHiADw1dFNDiGytHeAJqgKsYZ6xbxYgMT8vQQJWpcCaoPnc1R\/36QBSKDfO0Ei6I0Nk2Twp2jW7ybYg3WV9zcO8mcO+t2rUANioNNaghKiQ6\/\/kCvnfaOZl9\/nMaaP8oRI80YNnM3bBLePCUoIodPlfRsS+qRORwVaYVbmTkVd+7OOE68KIf+CtQJzWPG1I9szX6EUokwcVW4JeKB3DLXSgUJqbrCp8nB5Gt1Xl+DVmAWNn0zlmAkUkIYwVaRlUBt12nmZM5GfCFjeNYwyxKhMtco0zqNoFh6GPimEo\/HJoIaculB01PGh4MlKE33m6lcbQnV2mcjQy9+X6G7gJAvssvNVim+h2CyUIa0AFnvBEp0BZ0LQBw4xxW1+LO+851oEKlpBHf2CaPTJQbQ3lYLcFUbbZ7WxtncvtHzy\/SI9UgKeWcagnCcsYLbPsnPnloEl6cnUj6vnGVoFZ0zI4TVPk88\/biBoFXX37AYSAsISWoXJh5fdyK7Ub3uTshAtqeqBBTUeUFjb5Aj4cdCLyefeqdX7eVX7iolZTDjMHw6WHcQg9j8QT5ZehE6eQ3EWBv\/dyJkxi+P\/\/5RRqzAOol5xZb6h4LuhsvzWHQihAaP9MzFNZJKsrSoe\/spLPEQi09YKZ53xMfFjPTNozP7awNtIb6QltDJNIByFfslEQklWBp3nSDDraHwFBspLwhrXO\/4KJq80I0e6UvL2AGkUJ3WcnYVtrSbxxk4APJ7JesOtrVvfG0zUeYMWMSCdfwkF4KodqZGtJ3QATjzBea+nTD5uHk34dDyJnSJKk0ILq0jIFLho8LlWIyJH4QOXOz4qaWrv1Yq7zohspvZk7qqBfzWtq9nyRWQ1TZln6OTuRj1nSwDkH3Qwyv3P3ftVCIjgLduzJ1KxoPir\/gAp5xz8YWBMXoD3IJzkv\/PGQNpizq54tSdx\/+EwNQ0FXkMrTDVKVITAuSnBIkg9sH6JW+WpNYsbAPv3JnEFyzt8fIeM\/r0Qmf+N6zxgE9jaSg9C2Ue6YSiQO2VAdyYTxTvnFaxwR"}
-01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620467988515,"flow_dst_last_pkt_time":1598620467941031,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4666,"flow_dst_tot_l4_payload_len":8428,"midstream":0,"thread_ts_usec":1598620467988515,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":2164602.8,"max":19582580,"stddev":5209676.0,"var":27140724621312.0,"ent":2.5,"data": [5872,69285,110768,19,33,113561,2317,5835,79981,27,46402,10090862,10162287,246207,1361,7,331600,26165,19472426,19582580,120230,670,167,185037,26475,2999498,3090044,125889,1350,111,205624,0]},"pktlen": {"min":67,"avg":451.2,"max":1392,"stddev":500.3,"var":250315.8,"ent":4.2,"data": [1392,1392,1392,1392,1392,1254,83,83,115,68,658,75,1003,67,682,68,313,75,75,511,67,734,68,151,75,75,225,67,470,68,273,75]},"bins": {"c_to_s": [0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620467988515,"flow_dst_last_pkt_time":1598620467941031,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4666,"flow_dst_tot_l4_payload_len":8428,"midstream":0,"thread_ts_usec":1598620467988515,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":2164602.8,"max":19582580,"stddev":5209676.0,"var":27140724621312.0,"ent":2.5,"data": [5872,69285,110768,19,33,113561,2317,5835,79981,27,46402,10090862,10162287,246207,1361,7,331600,26165,19472426,19582580,120230,670,167,185037,26475,2999498,3090044,125889,1350,111,205624]},"pktlen": {"min":67,"avg":451.2,"max":1392,"stddev":500.3,"var":250315.8,"ent":4.2,"data": [1392,1392,1392,1392,1392,1254,83,83,115,68,658,75,1003,67,682,68,313,75,75,511,67,734,68,151,75,75,225,67,470,68,273,75]},"bins": {"c_to_s": [0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":205,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":72,"flow_dst_packets_processed":132,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620488484485,"flow_dst_last_pkt_time":1598620488458891,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":8772,"flow_dst_tot_l4_payload_len":133705,"midstream":0,"thread_ts_usec":1598620488484485,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":171,"flow_dst_packets_processed":471,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620524479693,"flow_dst_last_pkt_time":1598620524442441,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":21835,"flow_dst_tot_l4_payload_len":524919,"midstream":0,"thread_ts_usec":1598620524479693,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","packets-captured":642,"packets-processed":642,"total-skipped-flows":0,"total-l4-payload-len":546754,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":1,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1598620524479693}
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6064646 bytes
-~~ total memory freed........: 6064646 bytes
+~~ total memory allocated....: 6064642 bytes
+~~ total memory freed........: 6064642 bytes
 ~~ total allocations/frees...: 122151/122151
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/quickplay.pcap.out b/test/results/quickplay.pcap.out
index 6fae07aac..2c4b3628a 100644
--- a/test/results/quickplay.pcap.out
+++ b/test/results/quickplay.pcap.out
@@ -63,7 +63,7 @@
 01111{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1429000054688452,"flow_dst_last_pkt_time":1429000054555518,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":500,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":500,"pkt_l4_len":464,"thread_ts_usec":1429000054688452,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAeRjvEAAPwaG4wo2qfp4HCMoyykAUHABs6PLUc5cUBgk\/ZRuAABHRVQgL3NlZy92b2wxL3MvV2FybmVyL3FwbWV6emhhd2tkaWdpdGFsY29udGFnaW9uMjA1NDAzM2ZlYXR1cmVlbmdsaXNoMjBsdHJ0MjM5NzZmcHM3ODM0MTkyLzIwMTUtMDItMDIvU1RWODBSMTkyL3FwbWV6ei1IYXdrX0RpZ2l0YWxfQ09OVEFHSU9OXzIwNTQwMzNfRkVBVFVSRV9FTkdMSVNIXzJfMF9MVFJUXzIzOTc2ZnBzXzc4MzQxOTIubTJ0X1NUVjgwUjE5Mi0wMDIxLnRzIEhUVFAvMS4xDQpIb3N0OiB2b2Qtc2luZ3RlbGhhd2sucXVpY2twbGF5LmNvbQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDQuNC40OyBNSSAzVyBCdWlsZC9LVFU4NFApIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS8zMy4wLjAuMCBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KDQo="}
 00792{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1429000054595190,"flow_dst_last_pkt_time":1429000054967566,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"thread_ts_usec":1429000054967566,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUEEkAArQbHccvNgWUKNqn6AFCnCorJCJ8MOwSFUBgII8UCAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwDvBAYGAAAXudj2eCNNjv4Uv\/n42\/lx"}
 00791{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1429000052350287,"flow_dst_last_pkt_time":1429000055158240,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"thread_ts_usec":1429000055158240,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUJYkAArAas5svNl6AKNqn6AFDWZdcfCppPknoiUBkIIrzXAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwD\/BAgIAACTADJ0e1hwz8xBqPPud44t"}
-01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1429000052217627,"flow_src_last_pkt_time":1429000090450568,"flow_dst_last_pkt_time":1429000090229285,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":444,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":8360,"flow_dst_tot_l4_payload_len":10852,"midstream":1,"thread_ts_usec":1429000090450568,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":182557,"avg":2459503.2,"max":5871155,"stddev":1331263.2,"var":1772261736448.0,"ent":4.7,"data": [2337891,2470825,5776550,5871155,324615,2084534,1689148,182557,2170257,2013275,645600,519622,2223724,2353455,480927,4401947,3911834,3909668,3936554,2356476,2338349,2619995,2626526,2264068,2270477,2391541,2349518,2604523,2641967,2224884,2252137,0]},"pktlen": {"min":76,"avg":656.4,"max":1456,"stddev":347.9,"var":121006.6,"ent":4.8,"data": [500,1456,500,240,585,502,1248,585,502,854,587,76,504,1268,585,502,158,502,658,502,1124,502,1208,502,348,502,1456,502,962,502,580,502]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming"}}
+01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1429000052217627,"flow_src_last_pkt_time":1429000090450568,"flow_dst_last_pkt_time":1429000090229285,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":444,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":8360,"flow_dst_tot_l4_payload_len":10852,"midstream":1,"thread_ts_usec":1429000090450568,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":182557,"avg":2459503.2,"max":5871155,"stddev":1331263.2,"var":1772261736448.0,"ent":4.7,"data": [2337891,2470825,5776550,5871155,324615,2084534,1689148,182557,2170257,2013275,645600,519622,2223724,2353455,480927,4401947,3911834,3909668,3936554,2356476,2338349,2619995,2626526,2264068,2270477,2391541,2349518,2604523,2641967,2224884,2252137]},"pktlen": {"min":76,"avg":656.4,"max":1456,"stddev":347.9,"var":121006.6,"ent":4.8,"data": [500,1456,500,240,585,502,1248,585,502,854,587,76,504,1268,585,502,158,502,658,502,1124,502,1208,502,348,502,1456,502,962,502,580,502]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming"}}
 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1429000110390234,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":625,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":625,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":625,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1429000110390234,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 01356{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":681,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":681,"pkt_l4_len":645,"thread_ts_usec":1429000110390234,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAApm620AAPwZqrgo2qfrLzZPXi1YAUBkYU+pems3wUBgAbqLPAABQT1NUIGh0dHA6Ly9oa21pbm9yc2hvcnQud2VpeGluLnFxLmNvbS9jZ2ktYmluL21pY3JvbXNnLWJpbi9ydGt2cmVwb3J0IEhUVFAvMS4xDQpBY2NlcHQ6ICovKg0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMzU1DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KSG9zdDogaGttaW5vcnNob3J0LndlaXhpbi5xcS5jb20NClVzZXItQWdlbnQ6IE1pY3JvTWVzc2VuZ2VyIENsaWVudA0KDQqNXyYBAEFVK9B93wIQAhdIZGw+bAzfhIMAzAXaBLgCxN0BAsPj4k0n0ICdjYK52ViOWnOC4Vzgxi7+iegOsMW+oW6QdEAHg+UlyxaSBb9\/s0oeR4gum6gk+uWhqjv3Tkoz3jpOxZ3uqg5IoeAevVK78mE+75Mm5QEXaL\/24wa8I4nsiJTVEr54yg9WsIjA1I\/cd65YM57jS4+t1kJ\/xpqwwPsMfqK2G34N85Xo0uWP1F2PyLEjHiJZyK4xRu\/XYVzahdDn1vQRPtqQ3i2o6ggKNGN3kBkFa6C2GO0zTqwt7XUYqb0ppGq3KKIyPCtrTg5YICuEsfTDMTLer3J067M5VD93Ij+RkxqqGFN9+gvu+C\/smM0OksnEYsvtVnkr65ZF5Pk4qVPYHRDIlRcRHe0XzckIkJitYHFr8VSN2R6GxFfZK0YtMPQdmLxH6qLecheL3Cuuz7XcYpBc6JGpDIih+q4v"}
 01248{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1429000110390234,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":625,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":625,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":625,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1429000110390234,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP_Proxy.QQ","proto_id":"131.48","encrypted":0,"breed":"Fun","category_id":9,"category":"Chat","hostname":"hkminorshort.weixin.qq.com","http": {"url":"http:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client","request_content_type":"application\/octet-stream"}}}
@@ -127,8 +127,8 @@
 ~~ total active/idle flows...: 21/21
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6079016 bytes
-~~ total memory freed........: 6079016 bytes
+~~ total memory allocated....: 6078932 bytes
+~~ total memory freed........: 6078932 bytes
 ~~ total allocations/frees...: 121946/121946
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/radius_false_positive.pcapng.out b/test/results/radius_false_positive.pcapng.out
index f4520b7e0..7b231f63b 100644
--- a/test/results/radius_false_positive.pcapng.out
+++ b/test/results/radius_false_positive.pcapng.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035935 bytes
-~~ total memory freed........: 6035935 bytes
+~~ total memory allocated....: 6035931 bytes
+~~ total memory freed........: 6035931 bytes
 ~~ total allocations/frees...: 121497/121497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 508 chars
diff --git a/test/results/raknet.pcap.out b/test/results/raknet.pcap.out
index 289ebfe16..a2ed3a9e6 100644
--- a/test/results/raknet.pcap.out
+++ b/test/results/raknet.pcap.out
@@ -95,8 +95,8 @@
 ~~ total active/idle flows...: 12/12
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6055467 bytes
-~~ total memory freed........: 6055467 bytes
+~~ total memory allocated....: 6055419 bytes
+~~ total memory freed........: 6055419 bytes
 ~~ total allocations/frees...: 121663/121663
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/rdp.pcap.out b/test/results/rdp.pcap.out
index 6f57572c6..893d252b0 100644
--- a/test/results/rdp.pcap.out
+++ b/test/results/rdp.pcap.out
@@ -5,7 +5,7 @@
 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1559207465138576,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":4,"pkt_l4_offset":24,"pkt_len":56,"pkt_l4_len":32,"thread_ts_usec":1559207465180991,"pkt":"AgAAAEUAADRflEAAfwYqMMCoAo6sEAK5DT3NDkeav7z5vOJZgBL6AEVOAAACBAW0AQMDAAEBBAI="}
 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1559207465181061,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":44,"pkt_type":2048,"pkt_l3_offset":4,"pkt_l4_offset":24,"pkt_len":44,"pkt_l4_len":20,"thread_ts_usec":1559207465181061,"pkt":"AgAAAEUAACgAAEAAQAbI0KwQArnAqAKOzQ4NPfm84llHmr+9UBAgAGAaAAA="}
 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465181421,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":19,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1559207465181421,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
-01841{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465679719,"flow_dst_last_pkt_time":1559207465679652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":572,"flow_dst_max_l4_payload_len":1179,"flow_src_tot_l4_payload_len":1691,"flow_dst_tot_l4_payload_len":1900,"midstream":0,"thread_ts_usec":1559207465679719,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"data_analysis": {"iat": {"min":149,"avg":34910.3,"max":86174,"stddev":23095.5,"var":533403456.0,"ent":4.5,"data": [42415,42485,360,46147,45785,5885,50430,44534,5170,48270,43112,41453,86174,44710,10166,53885,43706,302,43769,43467,297,43729,43444,307,149,43556,40251,83348,297,42450,42166,0]},"pktlen": {"min":44,"avg":157.3,"max":1223,"stddev":233.3,"var":54415.1,"ent":4.1,"data": [68,56,44,63,63,44,217,1223,44,170,95,44,130,335,44,616,132,44,149,77,44,535,199,44,85,81,44,84,44,85,88,44]},"bins": {"c_to_s": [12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01839{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465679719,"flow_dst_last_pkt_time":1559207465679652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":572,"flow_dst_max_l4_payload_len":1179,"flow_src_tot_l4_payload_len":1691,"flow_dst_tot_l4_payload_len":1900,"midstream":0,"thread_ts_usec":1559207465679719,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"data_analysis": {"iat": {"min":149,"avg":34910.3,"max":86174,"stddev":23095.5,"var":533403456.0,"ent":4.5,"data": [42415,42485,360,46147,45785,5885,50430,44534,5170,48270,43112,41453,86174,44710,10166,53885,43706,302,43769,43467,297,43729,43444,307,149,43556,40251,83348,297,42450,42166]},"pktlen": {"min":44,"avg":157.3,"max":1223,"stddev":233.3,"var":54415.1,"ent":4.1,"data": [68,56,44,63,63,44,217,1223,44,170,95,44,130,335,44,616,132,44,149,77,44,535,199,44,85,81,44,84,44,85,88,44]},"bins": {"c_to_s": [12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 01045{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2010,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":936,"flow_dst_packets_processed":1074,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207472612156,"flow_dst_last_pkt_time":1559207472692980,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":578,"flow_dst_max_l4_payload_len":1273,"flow_src_tot_l4_payload_len":17682,"flow_dst_tot_l4_payload_len":516561,"midstream":0,"thread_ts_usec":1559207472692980,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2010,"source":"rdp.pcap","alias":"nDPId-test","packets-captured":2010,"packets-processed":2010,"total-skipped-flows":0,"total-l4-payload-len":534243,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1559207472692980}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6093945 bytes
-~~ total memory freed........: 6093945 bytes
+~~ total memory allocated....: 6093941 bytes
+~~ total memory freed........: 6093941 bytes
 ~~ total allocations/frees...: 123498/123498
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1846 chars
-~~ json string avg len.......: 1105 chars
+~~ json string max len.......: 1844 chars
+~~ json string avg len.......: 1104 chars
diff --git a/test/results/reasm_crash_anon.pcapng.out b/test/results/reasm_crash_anon.pcapng.out
index 269ea3a08..e32d31f9b 100644
--- a/test/results/reasm_crash_anon.pcapng.out
+++ b/test/results/reasm_crash_anon.pcapng.out
@@ -4,7 +4,7 @@
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1410865705717955,"flow_dst_last_pkt_time":1410865705717955,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1410865705717955,"pkt":"AAQAAQAGplhD8kgGAAAIAEUAAEEBjUAAQAbTicCokZMK0QiUyBJV7zv7Y\/\/dkdtagBghO+7bAAABAQgKPplWKzpg4vE8ZGV0YWlscyAvPg0K"}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1410865705717964,"flow_dst_last_pkt_time":1410865705717955,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1410865705717964,"pkt":"AAQAAQAGplhD8kgGAAAIAEUAAEEBjUAAQAbTicCokZMK0QiUyBJV7zv7Y\/\/dkdtagBghO+7bAAABAQgKPplWKzpg4vE8ZGV0YWlscyAvPg0K"}
 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1410865705717964,"flow_dst_last_pkt_time":1410865705719465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1410865705719465,"pkt":"AAAAAQAGUrCAkIlsAAAIAEUAAH6lHkAAQAYvuwrRCJTAqJGTVe\/IEt2R21o7+2QM0BgBxZZgqqoBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAaqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg=="}
-01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":9709947.0,"max":30165638,"stddev":14064983.0,"var":197823744180224.0,"ent":3.3,"data": [9,1510,1527,4,1248,1237,4,30097711,30099473,1765,3,1246,1236,30097518,8,30099327,1814,1237,30097422,1775,4,30101686,1241,30097498,30165638,1254,69395,30031106,8,30032779,1670,0]},"pktlen": {"min":68,"avg":171.0,"max":793,"stddev":234.8,"var":55144.5,"ent":4.2,"data": [81,81,142,68,68,793,68,68,81,122,68,68,781,68,81,81,122,68,68,81,68,68,793,68,81,122,793,68,81,81,122,68]},"bins": {"c_to_s": [23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0]}}
+01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":9709947.0,"max":30165638,"stddev":14064983.0,"var":197823744180224.0,"ent":3.3,"data": [9,1510,1527,4,1248,1237,4,30097711,30099473,1765,3,1246,1236,30097518,8,30099327,1814,1237,30097422,1775,4,30101686,1241,30097498,30165638,1254,69395,30031106,8,30032779,1670]},"pktlen": {"min":68,"avg":171.0,"max":793,"stddev":234.8,"var":55144.5,"ent":4.2,"data": [81,81,142,68,68,793,68,68,81,122,68,68,781,68,81,81,122,68,68,81,68,68,793,68,81,122,793,68,81,81,122,68]},"bins": {"c_to_s": [23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0]}}
 00822{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":94,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","packets-captured":94,"packets-processed":93,"total-skipped-flows":0,"total-l4-payload-len":5079,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1410866307727956}
 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":170,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","packets-captured":170,"packets-processed":169,"total-skipped-flows":0,"total-l4-payload-len":6225,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1410866909737971}
@@ -18,10 +18,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043754 bytes
-~~ total memory freed........: 6043754 bytes
+~~ total memory allocated....: 6043750 bytes
+~~ total memory freed........: 6043750 bytes
 ~~ total allocations/frees...: 121697/121697
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 503 chars
-~~ json string max len.......: 1600 chars
-~~ json string avg len.......: 1044 chars
+~~ json string max len.......: 1598 chars
+~~ json string avg len.......: 1043 chars
diff --git a/test/results/reasm_segv_anon.pcapng.out b/test/results/reasm_segv_anon.pcapng.out
index ab30d2cbb..0e192c36a 100644
--- a/test/results/reasm_segv_anon.pcapng.out
+++ b/test/results/reasm_segv_anon.pcapng.out
@@ -23,7 +23,7 @@
 00438{"packet_event_id":1,"packet_event_name":"packet","packet_id":26,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":114,"pkt_l4_len":0,"thread_ts_usec":1550422831516116,"pkt":"AAAAcxs8EFFy5LtdCABFeABkmSIAAEARXQGRTALsu2A0VQhoCGgAUAAAMv8AQAn8kEPqcwAARQAAPFk9QAB\/BgFvrBEkFT++kSvhEwBQ8LOPBjqqWZmgEAEB\/lMAAAEBBRI6qnTxOqqQSTqqZIk6qm95"}
 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":30,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":114,"expected":118,"global_ts_usec":1550422833287234}
 00437{"packet_event_id":1,"packet_event_name":"packet","packet_id":30,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":114,"pkt_l4_len":0,"thread_ts_usec":1550422833134009,"pkt":"AAAAcxs8EFFy5LtdCABFeABkzGMAAEARKcCRTALsu2A0VQhoCGgAUAAAMv8AQAn8kEPrcwAARQAAPFk+QAB\/BgFurBEkFT++kSvhEwBQ8LOPBjqqXxGgEAEB+NsAAAEBBRI6qnTxOqqQSTqqZIk6qm95"}
-01746{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1550422828553466,"flow_src_last_pkt_time":1550422833287234,"flow_dst_last_pkt_time":1550422833289770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":640,"flow_dst_tot_l4_payload_len":27912,"midstream":0,"thread_ts_usec":1550422833289770,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":305486.2,"max":1859119,"stddev":563984.9,"var":318078976000.0,"ent":3.1,"data": [396021,83822,1376171,124,2,2,1,3,2,2,113,124,1859119,964928,439709,439658,123,2,1,1,1,121,163901,20078,1615354,1799040,121,3,155764,155637,124,0]},"pktlen": {"min":90,"avg":934.2,"max":1490,"stddev":651.3,"var":424215.9,"ent":4.5,"data": [106,106,106,1490,1490,1490,1490,1490,1490,1490,1490,1490,1490,114,1490,114,1490,1490,1490,1490,1386,1490,1490,122,122,114,90,402,1178,114,90,402]},"bins": {"c_to_s": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0]},"directions": [0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"GTP.GTP_U","proto_id":"152.271","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01744{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1550422828553466,"flow_src_last_pkt_time":1550422833287234,"flow_dst_last_pkt_time":1550422833289770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":640,"flow_dst_tot_l4_payload_len":27912,"midstream":0,"thread_ts_usec":1550422833289770,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":305486.2,"max":1859119,"stddev":563984.9,"var":318078976000.0,"ent":3.1,"data": [396021,83822,1376171,124,2,2,1,3,2,2,113,124,1859119,964928,439709,439658,123,2,1,1,1,121,163901,20078,1615354,1799040,121,3,155764,155637,124]},"pktlen": {"min":90,"avg":934.2,"max":1490,"stddev":651.3,"var":424215.9,"ent":4.5,"data": [106,106,106,1490,1490,1490,1490,1490,1490,1490,1490,1490,1490,114,1490,114,1490,1490,1490,1490,1386,1490,1490,122,122,114,90,402,1178,114,90,402]},"bins": {"c_to_s": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0]},"directions": [0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"GTP.GTP_U","proto_id":"152.271","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":34,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":122,"expected":126,"global_ts_usec":1550422833447409}
 00450{"packet_event_id":1,"packet_event_name":"packet","packet_id":34,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":122,"pkt_l4_len":0,"thread_ts_usec":1550422833289895,"pkt":"AAAAcxs8EFFy5LtdCABFeABsAdEAAEAR9EqRTALsu2A0VQhoCGgAWAAAMv8ASAn8kEPscwAARQAARFk\/QAB\/BgFlrBEkFT++kSvhEwBQ8LOPBjqqXxHAEAEBHQQAAAEBBRo6qqCxOqqlwTqqdPE6qpBJOqpkiTqqb3k="}
 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":35,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":122,"expected":126,"global_ts_usec":1550422834706876}
@@ -72,10 +72,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038023 bytes
-~~ total memory freed........: 6038023 bytes
+~~ total memory allocated....: 6038019 bytes
+~~ total memory freed........: 6038019 bytes
 ~~ total allocations/frees...: 121569/121569
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 247 chars
-~~ json string max len.......: 1751 chars
-~~ json string avg len.......: 998 chars
+~~ json string max len.......: 1749 chars
+~~ json string avg len.......: 997 chars
diff --git a/test/results/reddit.pcap.out b/test/results/reddit.pcap.out
index d1cf4e76f..ffdb3643f 100644
--- a/test/results/reddit.pcap.out
+++ b/test/results/reddit.pcap.out
@@ -26,8 +26,8 @@
 01149{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684552325,"flow_dst_last_pkt_time":1605291684551717,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291684552325,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01209{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":56,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684552325,"flow_dst_last_pkt_time":1605291684592780,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291684592780,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01478{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684592921,"flow_dst_last_pkt_time":1605291684593083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291684593083,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}}
-01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291684451133,"flow_src_last_pkt_time":1605291684654464,"flow_dst_last_pkt_time":1605291684654375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":824,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":2166,"flow_dst_tot_l4_payload_len":4508,"midstream":0,"thread_ts_usec":1605291684654464,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14520.5,"max":75646,"stddev":23887.5,"var":570611008.0,"ent":3.2,"data": [24940,24984,493,75646,1,1,75219,11,11,8777,4975,582,741,37567,3490,25948,1187,485,1611,1121,59921,1,1,1,1,58810,38,10,0,0,0,0]},"pktlen": {"min":86,"avg":295.1,"max":1294,"stddev":342.1,"var":117045.1,"ent":4.3,"data": [94,94,86,603,86,1294,1294,586,86,86,86,150,178,910,724,86,666,86,86,117,86,117,86,86,398,436,299,125,153,86,86,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01572{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":98736.8,"max":1287577,"stddev":316362.8,"var":100085415936.0,"ent":1.8,"data": [33174,33242,863,66592,1,1,1,1,65678,11,9,6,13203,712,517,42062,2,27621,483,471,1369,59921,136,1228856,1287577,855,2,1,1,0,0,0]},"pktlen": {"min":86,"avg":413.8,"max":1134,"stddev":437.6,"var":191482.0,"ent":4.3,"data": [94,94,86,603,86,1134,1134,1134,601,86,86,86,86,179,185,459,86,344,86,86,152,86,124,86,86,1134,86,1134,1134,1134,217,1134]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1]}}
+01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291684451133,"flow_src_last_pkt_time":1605291684654464,"flow_dst_last_pkt_time":1605291684654375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":824,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":2166,"flow_dst_tot_l4_payload_len":4508,"midstream":0,"thread_ts_usec":1605291684654464,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14520.5,"max":75646,"stddev":23887.5,"var":570611008.0,"ent":3.2,"data": [24940,24984,493,75646,1,1,75219,11,11,8777,4975,582,741,37567,3490,25948,1187,485,1611,1121,59921,1,1,1,1,58810,38,10]},"pktlen": {"min":86,"avg":295.1,"max":1294,"stddev":342.1,"var":117045.1,"ent":4.3,"data": [94,94,86,603,86,1294,1294,586,86,86,86,150,178,910,724,86,666,86,86,117,86,117,86,86,398,436,299,125,153,86,86,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":98736.8,"max":1287577,"stddev":316362.8,"var":100085415936.0,"ent":1.8,"data": [33174,33242,863,66592,1,1,1,1,65678,11,9,6,13203,712,517,42062,2,27621,483,471,1369,59921,136,1228856,1287577,855,2,1,1]},"pktlen": {"min":86,"avg":413.8,"max":1134,"stddev":437.6,"var":191482.0,"ent":4.3,"data": [94,94,86,603,86,1134,1134,1134,601,86,86,86,86,179,185,459,86,344,86,86,152,86,124,86,86,1134,86,1134,1134,1134,217,1134]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1]}}
 01482{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}}
 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686035717,"flow_src_last_pkt_time":1605291686035717,"flow_dst_last_pkt_time":1605291686035717,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686035717,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686035717,"flow_dst_last_pkt_time":1605291686035717,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686035717,"pkt":"qtsDr8lk5EKm5WPyht1gDzZzACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PIBu+DxzH8AAAAAoAL9INmFAAACBAWgBAIICql05ecAAAAAAQMDBw=="}
@@ -137,16 +137,16 @@
 01472{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":738,"source":"reddit.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686064586,"flow_src_last_pkt_time":1605291686146132,"flow_dst_last_pkt_time":1605291686146919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686146919,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56586,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}}
 01212{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":751,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1605291686064604,"flow_src_last_pkt_time":1605291686146162,"flow_dst_last_pkt_time":1605291686148836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686148836,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01472{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":754,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686064604,"flow_src_last_pkt_time":1605291686146162,"flow_dst_last_pkt_time":1605291686148836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686148836,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}}
-01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":779,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1605291686035769,"flow_src_last_pkt_time":1605291686160496,"flow_dst_last_pkt_time":1605291686157690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1388,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":3806,"flow_dst_tot_l4_payload_len":3988,"midstream":0,"thread_ts_usec":1605291686160496,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8221.6,"max":41517,"stddev":14383.5,"var":206883872.0,"ent":3.1,"data": [29904,29917,129,38003,2302,1,40177,45,72,17,3,2699,111,630,30,181,4,41517,1269,39145,1579,42,7307,1546,7292,2107,217,138,38,226,0,0]},"pktlen": {"min":86,"avg":330.1,"max":1474,"stddev":366.7,"var":134435.4,"ent":4.3,"data": [94,94,86,603,86,1134,1134,86,86,1134,606,86,86,179,185,375,405,1474,283,86,344,86,209,241,86,152,86,231,124,196,197,308]},"bins": {"c_to_s": [8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":779,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1605291686035769,"flow_src_last_pkt_time":1605291686160496,"flow_dst_last_pkt_time":1605291686157690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1388,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":3806,"flow_dst_tot_l4_payload_len":3988,"midstream":0,"thread_ts_usec":1605291686160496,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8221.6,"max":41517,"stddev":14383.5,"var":206883872.0,"ent":3.1,"data": [29904,29917,129,38003,2302,1,40177,45,72,17,3,2699,111,630,30,181,4,41517,1269,39145,1579,42,7307,1546,7292,2107,217,138,38,226]},"pktlen": {"min":86,"avg":330.1,"max":1474,"stddev":366.7,"var":134435.4,"ent":4.3,"data": [94,94,86,603,86,1134,1134,86,86,1134,606,86,86,179,185,375,405,1474,283,86,344,86,209,241,86,152,86,231,124,196,197,308]},"bins": {"c_to_s": [8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":807,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686129954,"flow_dst_last_pkt_time":1605291686182404,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182404,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01502{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":809,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686129954,"flow_dst_last_pkt_time":1605291686182405,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686182405,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}}
 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":811,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686130302,"flow_dst_last_pkt_time":1605291686182406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182406,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01502{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":818,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686182436,"flow_dst_last_pkt_time":1605291686183890,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686183890,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}}
-01570{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10367.1,"max":48292,"stddev":16265.1,"var":264551920.0,"ent":3.2,"data": [38700,38720,198,38531,1,38345,41,14,329,334,4,2216,2804,187,210,6465,48292,2910,39329,6844,2704,1,9551,251,801,2129,1,0,0,0,0,0]},"pktlen": {"min":86,"avg":423.6,"max":1134,"stddev":435.5,"var":189657.0,"ent":4.3,"data": [94,94,86,603,86,1134,86,1134,86,1134,616,86,86,179,185,450,482,129,86,344,86,86,86,152,86,124,86,1134,1134,1134,1134,1134]},"bins": {"c_to_s": [8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1]}}
+01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10367.1,"max":48292,"stddev":16265.1,"var":264551920.0,"ent":3.2,"data": [38700,38720,198,38531,1,38345,41,14,329,334,4,2216,2804,187,210,6465,48292,2910,39329,6844,2704,1,9551,251,801,2129,1]},"pktlen": {"min":86,"avg":423.6,"max":1134,"stddev":435.5,"var":189657.0,"ent":4.3,"data": [94,94,86,603,86,1134,86,1134,86,1134,616,86,86,179,185,450,482,129,86,344,86,86,86,152,86,124,86,1134,1134,1134,1134,1134]},"bins": {"c_to_s": [8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1]}}
 01506{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"styles.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}}
-01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11195.6,"max":60278,"stddev":19812.6,"var":392540128.0,"ent":2.7,"data": [36077,36109,144,41300,1,41154,44,17,686,689,5,2344,1105,220,36,172,60278,1038,57438,31,1,25,34,2,940,0,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":311.4,"max":1134,"stddev":353.7,"var":125114.1,"ent":4.3,"data": [94,94,86,603,86,1134,86,1134,86,1134,590,86,86,179,185,460,373,241,86,344,86,86,152,86,86,86,1134,701,86,86,86,124]},"bins": {"c_to_s": [10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0]}}
+01537{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11195.6,"max":60278,"stddev":19812.6,"var":392540128.0,"ent":2.7,"data": [36077,36109,144,41300,1,41154,44,17,686,689,5,2344,1105,220,36,172,60278,1038,57438,31,1,25,34,2,940]},"pktlen": {"min":86,"avg":311.4,"max":1134,"stddev":353.7,"var":125114.1,"ent":4.3,"data": [94,94,86,603,86,1134,86,1134,86,1134,590,86,86,179,185,460,373,241,86,344,86,86,152,86,86,86,1134,701,86,86,86,124]},"bins": {"c_to_s": [10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0]}}
 01475{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}}
-01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10575.8,"max":52464,"stddev":19563.6,"var":382734336.0,"ent":2.8,"data": [44627,44653,347,50980,1843,1,52464,10,3,2,2413,668,102,121,49031,1,45760,75,169,1186,1,1,1443,16,7,133,49,15,0,0,0,0]},"pktlen": {"min":86,"avg":377.0,"max":1134,"stddev":422.8,"var":178733.3,"ent":4.2,"data": [94,94,86,603,86,1134,1134,1134,616,86,86,86,86,179,185,403,167,86,344,86,86,86,152,86,1134,1132,86,86,86,1134,86,1134]},"bins": {"c_to_s": [11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1]}}
+01549{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10575.8,"max":52464,"stddev":19563.6,"var":382734336.0,"ent":2.8,"data": [44627,44653,347,50980,1843,1,52464,10,3,2,2413,668,102,121,49031,1,45760,75,169,1186,1,1,1443,16,7,133,49,15]},"pktlen": {"min":86,"avg":377.0,"max":1134,"stddev":422.8,"var":178733.3,"ent":4.2,"data": [94,94,86,603,86,1134,1134,1134,616,86,86,86,86,179,185,403,167,86,344,86,86,86,152,86,1134,1132,86,86,86,1134,86,1134]},"bins": {"c_to_s": [11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1]}}
 01506{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}}
 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686301196,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686301196,"pkt":"qtsDr8lk5EKm5WPyht1gDu9XACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3RIBuyQ3ML0AAAAAoAL9IDDZAAACBAWgBAIICql05vEAAAAAAQMDBw=="}
@@ -155,7 +155,7 @@
 01162{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1211,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686327034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686327471,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1398,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686419456,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686419456,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01527{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1406,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686419467,"flow_dst_last_pkt_time":1605291686420291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686420291,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}}
-01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12918.2,"max":91996,"stddev":23629.4,"var":558350720.0,"ent":2.8,"data": [25838,25880,395,66367,26055,91996,835,829,7,4,1579,121,254,42141,1,1,6209,2,1,46395,10,6,2,1,4,940,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":377.3,"max":1134,"stddev":424.0,"var":179781.3,"ent":4.2,"data": [94,94,86,603,86,1134,86,1134,1134,637,86,86,86,179,185,417,86,86,86,360,152,1134,1134,1134,1134,86,86,86,86,86,86,124]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]}}
+01539{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12918.2,"max":91996,"stddev":23629.4,"var":558350720.0,"ent":2.8,"data": [25838,25880,395,66367,26055,91996,835,829,7,4,1579,121,254,42141,1,1,6209,2,1,46395,10,6,2,1,4,940]},"pktlen": {"min":86,"avg":377.3,"max":1134,"stddev":424.0,"var":179781.3,"ent":4.2,"data": [94,94,86,603,86,1134,86,1134,1134,637,86,86,86,179,185,417,86,86,86,360,152,1134,1134,1134,1134,86,86,86,86,86,86,124]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]}}
 01530{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}}
 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686985114,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686985114,"pkt":"qtsDr8lk5EKm5WPyht1gAMi0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxxABu7duD88AAAAAoAL9IJsfAAACBAWgBAIIClRf4AwAAAAAAQMDBw=="}
@@ -175,10 +175,10 @@
 01219{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1938,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687016854,"flow_dst_last_pkt_time":1605291687060476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291687060476,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01200{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1949,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687024727,"flow_dst_last_pkt_time":1605291687075726,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687075726,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1962,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687024606,"flow_dst_last_pkt_time":1605291687096859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687096859,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"c.aaxads.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1994,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":8926.9,"max":43636,"stddev":14641.6,"var":214376368.0,"ent":3.1,"data": [31477,31507,233,36835,7050,43636,16,599,576,2431,165,135,37718,689,1069,36764,111,89,22,531,8580,9121,90,75,174,158,5,98,0,0,0,0]},"pktlen": {"min":86,"avg":436.5,"max":1294,"stddev":490.0,"var":240053.7,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,547,86,150,178,347,86,86,666,86,117,86,117,86,792,86,1294,86,1294,1294,86,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9355.9,"max":51019,"stddev":15790.2,"var":249329552.0,"ent":3.0,"data": [38538,38619,398,37312,14166,1,1,51019,20,3,2,2,2408,107,140,31274,2,1645,1,30239,111,3355,1,3233,8,2,2,0,0,0,0,0]},"pktlen": {"min":86,"avg":475.6,"max":1474,"stddev":586.5,"var":343946.1,"ent":4.0,"data": [94,94,86,603,86,1474,1474,1474,1474,401,86,86,86,86,86,150,178,344,86,86,86,157,86,117,1474,1474,1474,1474,86,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0]}}
+01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1994,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":8926.9,"max":43636,"stddev":14641.6,"var":214376368.0,"ent":3.1,"data": [31477,31507,233,36835,7050,43636,16,599,576,2431,165,135,37718,689,1069,36764,111,89,22,531,8580,9121,90,75,174,158,5,98]},"pktlen": {"min":86,"avg":436.5,"max":1294,"stddev":490.0,"var":240053.7,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,547,86,150,178,347,86,86,666,86,117,86,117,86,792,86,1294,86,1294,1294,86,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01542{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9355.9,"max":51019,"stddev":15790.2,"var":249329552.0,"ent":3.0,"data": [38538,38619,398,37312,14166,1,1,51019,20,3,2,2,2408,107,140,31274,2,1645,1,30239,111,3355,1,3233,8,2,2]},"pktlen": {"min":86,"avg":475.6,"max":1474,"stddev":586.5,"var":343946.1,"ent":4.0,"data": [94,94,86,603,86,1474,1474,1474,1474,401,86,86,86,86,86,150,178,344,86,86,86,157,86,117,1474,1474,1474,1474,86,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0]}}
 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2070,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687186026,"flow_dst_last_pkt_time":1605291687186023,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":998,"flow_dst_tot_l4_payload_len":10536,"midstream":0,"thread_ts_usec":1605291687186026,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14548.7,"max":72269,"stddev":19347.3,"var":374318368.0,"ent":3.4,"data": [27356,27416,299,37313,35299,1,72269,38,3,2523,128,130,31242,2117,15088,1,45626,28,24,154,29754,10263,39831,697,1,666,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":446.9,"max":1474,"stddev":553.5,"var":306346.9,"ent":4.1,"data": [94,94,86,603,86,1474,1474,324,86,86,86,166,178,364,86,86,86,357,357,156,86,86,86,117,86,1474,86,1459,1474,1459,1474,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2070,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687186026,"flow_dst_last_pkt_time":1605291687186023,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":998,"flow_dst_tot_l4_payload_len":10536,"midstream":0,"thread_ts_usec":1605291687186026,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14548.7,"max":72269,"stddev":19347.3,"var":374318368.0,"ent":3.4,"data": [27356,27416,299,37313,35299,1,72269,38,3,2523,128,130,31242,2117,15088,1,45626,28,24,154,29754,10263,39831,697,1,666]},"pktlen": {"min":86,"avg":446.9,"max":1474,"stddev":553.5,"var":306346.9,"ent":4.1,"data": [94,94,86,603,86,1474,1474,324,86,86,86,166,178,364,86,86,86,357,357,156,86,86,86,117,86,1474,86,1459,1474,1459,1474,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687485783,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687485783,"pkt":"qtsDr8lk5EKm5WPyht1gDGJhACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RLCx1IBu5\/PXZ4AAAAAoAL9IP2VAAACBAWgBAIICruOxrcAAAAAAQMDBw=="}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2341,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687512994,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687512994,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAKzZEsIqAcsBIEmLB5kd7IUo3\/YpAbvHUvrRnoyfz12foBJXgAjWAAACBAV4AQMDAwQCCArC1z5Fu47Gtw=="}
@@ -192,8 +192,8 @@
 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687513279,"flow_dst_last_pkt_time":1605291687552593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687552593,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"securepubads.g.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01219{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2382,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687545503,"flow_dst_last_pkt_time":1605291687606576,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291687606576,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01545{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687606628,"flow_dst_last_pkt_time":1605291687606672,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291687606672,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}}}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2397,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687606682,"flow_dst_last_pkt_time":1605291687608302,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":978,"flow_dst_tot_l4_payload_len":10865,"midstream":0,"thread_ts_usec":1605291687608302,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9362.2,"max":49462,"stddev":15182.4,"var":230505152.0,"ent":3.1,"data": [27211,27234,262,32139,7460,39332,541,528,9,1876,115,75,39448,325,11758,49462,14,229,1909,2,1682,24,5,95,52,1631,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":456.6,"max":1474,"stddev":558.6,"var":312025.4,"ent":4.1,"data": [94,94,86,603,86,1474,86,1474,188,86,86,150,178,360,86,86,86,666,117,86,86,117,522,1474,1474,86,86,86,1474,86,1474,1474]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
-01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8714.2,"max":61125,"stddev":16231.6,"var":263464320.0,"ent":2.9,"data": [30377,30415,332,47450,13993,61125,95,1,49,10,2,3286,115,139,30628,2061,91,29231,1271,1309,181,374,3,2,1,161,6,3,2,0,0,0]},"pktlen": {"min":86,"avg":377.2,"max":1134,"stddev":425.8,"var":181298.7,"ent":4.2,"data": [94,94,86,603,86,1134,86,1134,1134,718,86,86,86,179,185,351,86,86,86,344,86,152,86,124,1134,1134,1134,1134,86,86,86,86]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0]}}
+01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2397,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687606682,"flow_dst_last_pkt_time":1605291687608302,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":978,"flow_dst_tot_l4_payload_len":10865,"midstream":0,"thread_ts_usec":1605291687608302,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9362.2,"max":49462,"stddev":15182.4,"var":230505152.0,"ent":3.1,"data": [27211,27234,262,32139,7460,39332,541,528,9,1876,115,75,39448,325,11758,49462,14,229,1909,2,1682,24,5,95,52,1631]},"pktlen": {"min":86,"avg":456.6,"max":1474,"stddev":558.6,"var":312025.4,"ent":4.1,"data": [94,94,86,603,86,1474,86,1474,188,86,86,150,178,360,86,86,86,666,117,86,86,117,522,1474,1474,86,86,86,1474,86,1474,1474]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
+01553{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8714.2,"max":61125,"stddev":16231.6,"var":263464320.0,"ent":2.9,"data": [30377,30415,332,47450,13993,61125,95,1,49,10,2,3286,115,139,30628,2061,91,29231,1271,1309,181,374,3,2,1,161,6,3,2]},"pktlen": {"min":86,"avg":377.2,"max":1134,"stddev":425.8,"var":181298.7,"ent":4.2,"data": [94,94,86,603,86,1134,86,1134,1134,718,86,86,86,179,185,351,86,86,86,344,86,152,86,124,1134,1134,1134,1134,86,86,86,86]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0]}}
 01548{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}}}
 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687642048,"flow_dst_last_pkt_time":1605291687642048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687642048,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687642048,"flow_dst_last_pkt_time":1605291687642048,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687642048,"pkt":"qtsDr8lk5EKm5WPyht1gDI7+ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACAImmABu4PHuxgAAAAAoAL9IGTNAAACBAWgBAIICsL4XLwAAAAAAQMDBw=="}
@@ -203,7 +203,7 @@
 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687678071,"flow_dst_last_pkt_time":1605291687721930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291687721930,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagmanager.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687761761,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687761761,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687761761,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687761761,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687761761,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bcAAAAAoAL9IFSZAAACBAWgBAIIClvEqOkAAAAAAQMDBw=="}
-01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2589,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687769797,"flow_dst_last_pkt_time":1605291687770512,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":967,"flow_dst_tot_l4_payload_len":10018,"midstream":0,"thread_ts_usec":1605291687770512,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8834.9,"max":43870,"stddev":14652.3,"var":214690448.0,"ent":3.2,"data": [34309,34348,1675,38053,7520,1,43870,15,3,2990,179,332,37258,1,401,1,34144,24,176,2332,6921,9068,836,1,863,34,109,28,721,0,0,0]},"pktlen": {"min":86,"avg":429.8,"max":1294,"stddev":486.5,"var":236643.5,"ent":4.2,"data": [94,94,86,603,86,1294,1294,564,86,86,86,150,178,349,86,86,666,117,86,86,117,86,559,86,1294,1294,86,86,1294,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2589,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687769797,"flow_dst_last_pkt_time":1605291687770512,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":967,"flow_dst_tot_l4_payload_len":10018,"midstream":0,"thread_ts_usec":1605291687770512,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8834.9,"max":43870,"stddev":14652.3,"var":214690448.0,"ent":3.2,"data": [34309,34348,1675,38053,7520,1,43870,15,3,2990,179,332,37258,1,401,1,34144,24,176,2332,6921,9068,836,1,863,34,109,28,721]},"pktlen": {"min":86,"avg":429.8,"max":1294,"stddev":486.5,"var":236643.5,"ent":4.2,"data": [94,94,86,603,86,1294,1294,564,86,86,86,150,178,349,86,86,666,117,86,86,117,86,559,86,1294,1294,86,86,1294,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2609,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687790624,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAGhTs9EqAcsBIEmLB5kd7IUo3\/YpAbuAylJzVUg0Stm4oBJXgFBhAAACBAV4AQMDAwQCCArC1z9gW8So6Q=="}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2610,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":1605291687790646,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291687790646,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bhSc1VJgBAB+9RVAAABAQgKW8SpBsLXP2A="}
 01135{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291687761761,"flow_src_last_pkt_time":1605291687790793,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687790793,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.aaxdetect.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
@@ -240,9 +240,9 @@
 01595{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3147,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291687974969,"flow_dst_last_pkt_time":1605291688036418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3364,"midstream":0,"thread_ts_usec":1605291688036418,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}}
 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3171,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291687829706,"flow_dst_last_pkt_time":1605291688046248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688046248,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01668{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688046258,"flow_dst_last_pkt_time":1605291688046580,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3439,"midstream":0,"thread_ts_usec":1605291688046580,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}}
-01601{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22403.4,"max":180245,"stddev":39725.6,"var":1578121344.0,"ent":3.3,"data": [41345,41375,239,45639,16078,1,61463,16,3,3880,365,125,94049,180245,10480,2,92307,53,428,5467,8019,1891,14882,15513,1,15533,36,263,1,0,0,0]},"pktlen": {"min":86,"avg":460.9,"max":1474,"stddev":554.6,"var":307585.9,"ent":4.1,"data": [94,94,86,603,86,1474,1474,674,86,86,86,212,185,344,344,86,360,155,86,86,124,86,86,124,86,1474,1474,86,86,1474,1474,1474]},"bins": {"c_to_s": [10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1]}}
+01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22403.4,"max":180245,"stddev":39725.6,"var":1578121344.0,"ent":3.3,"data": [41345,41375,239,45639,16078,1,61463,16,3,3880,365,125,94049,180245,10480,2,92307,53,428,5467,8019,1891,14882,15513,1,15533,36,263,1]},"pktlen": {"min":86,"avg":460.9,"max":1474,"stddev":554.6,"var":307585.9,"ent":4.1,"data": [94,94,86,603,86,1474,1474,674,86,86,86,212,185,344,344,86,360,155,86,86,124,86,86,124,86,1474,1474,86,86,1474,1474,1474]},"bins": {"c_to_s": [10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1]}}
 01599{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}}
-01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3311,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687931808,"flow_src_last_pkt_time":1605291688275672,"flow_dst_last_pkt_time":1605291688275738,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1514,"flow_dst_tot_l4_payload_len":8800,"midstream":0,"thread_ts_usec":1605291688275738,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23717.0,"max":168765,"stddev":39116.9,"var":1530135680.0,"ent":3.3,"data": [34819,34839,225,53032,4946,57771,466,435,8,5,3584,2043,379,91732,168765,1823,72847,231,970,1993,2727,14555,61747,2,76315,38,696,685,116,0,0,0]},"pktlen": {"min":86,"avg":408.8,"max":1294,"stddev":466.2,"var":217386.3,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,1294,286,86,86,86,150,178,491,491,86,666,86,117,86,117,86,86,827,1294,86,86,1294,86,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3311,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687931808,"flow_src_last_pkt_time":1605291688275672,"flow_dst_last_pkt_time":1605291688275738,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1514,"flow_dst_tot_l4_payload_len":8800,"midstream":0,"thread_ts_usec":1605291688275738,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23717.0,"max":168765,"stddev":39116.9,"var":1530135680.0,"ent":3.3,"data": [34819,34839,225,53032,4946,57771,466,435,8,5,3584,2043,379,91732,168765,1823,72847,231,970,1993,2727,14555,61747,2,76315,38,696,685,116]},"pktlen": {"min":86,"avg":408.8,"max":1294,"stddev":466.2,"var":217386.3,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,1294,286,86,86,86,150,178,491,491,86,666,86,117,86,117,86,86,827,1294,86,86,1294,86,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688324076,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688324076,"pkt":"qtsDr8lk5EKm5WPyht1gDP1bACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx5wBu0pXpjQAAAAAoAL9INe7AAACBAWgBAIICn8mSwwAAAAAAQMDBw=="}
 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3358,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688336354,"flow_dst_last_pkt_time":1605291688336354,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688336354,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -261,8 +261,8 @@
 01210{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3517,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688365341,"flow_dst_last_pkt_time":1605291688408044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688408044,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"ad.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01210{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3521,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688371089,"flow_dst_last_pkt_time":1605291688408514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688408514,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"ad.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01201{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3538,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688344280,"flow_src_last_pkt_time":1605291688372055,"flow_dst_last_pkt_time":1605291688411963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688411963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:9000:219c:ee00:6:44e3:f8c0:93a1","src_port":56186,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"rules.quantcount.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01737{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3794,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10832.1,"max":42730,"stddev":14959.8,"var":223794400.0,"ent":3.6,"data": [41079,41100,165,31856,11033,42730,469,1,470,25,2812,1299,93,34223,10205,1,40205,536,1458,1,938,16571,1,3,16547,20,17,4417,310,12670,24540,0]},"pktlen": {"min":86,"avg":264.0,"max":1474,"stddev":362.6,"var":131502.0,"ent":4.1,"data": [94,94,86,603,86,1474,86,1474,186,86,86,150,178,500,86,666,86,86,117,86,117,86,807,117,125,86,86,86,125,121,296,86]},"bins": {"c_to_s": [11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
-01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":48119.6,"max":216552,"stddev":68159.2,"var":4645675520.0,"ent":3.6,"data": [29231,29299,228,29539,187299,216552,332,326,7,1815,188,30,70254,211900,6516,1,182884,58339,20162,41757,64,46,873,11694,10868,9898,6233,112514,128634,76106,0,0]},"pktlen": {"min":86,"avg":272.4,"max":1474,"stddev":353.4,"var":124913.6,"ent":4.2,"data": [94,94,86,603,86,1474,86,1474,749,86,86,212,185,376,376,86,86,86,186,86,328,86,130,86,124,124,86,86,86,545,86,352]},"bins": {"c_to_s": [9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1]}}
+01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3794,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10832.1,"max":42730,"stddev":14959.8,"var":223794400.0,"ent":3.6,"data": [41079,41100,165,31856,11033,42730,469,1,470,25,2812,1299,93,34223,10205,1,40205,536,1458,1,938,16571,1,3,16547,20,17,4417,310,12670,24540]},"pktlen": {"min":86,"avg":264.0,"max":1474,"stddev":362.6,"var":131502.0,"ent":4.1,"data": [94,94,86,603,86,1474,86,1474,186,86,86,150,178,500,86,666,86,86,117,86,117,86,807,117,125,86,86,86,125,121,296,86]},"bins": {"c_to_s": [11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
+01591{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":48119.6,"max":216552,"stddev":68159.2,"var":4645675520.0,"ent":3.6,"data": [29231,29299,228,29539,187299,216552,332,326,7,1815,188,30,70254,211900,6516,1,182884,58339,20162,41757,64,46,873,11694,10868,9898,6233,112514,128634,76106]},"pktlen": {"min":86,"avg":272.4,"max":1474,"stddev":353.4,"var":124913.6,"ent":4.2,"data": [94,94,86,603,86,1474,86,1474,749,86,86,212,185,376,376,86,86,86,186,86,328,86,130,86,124,124,86,86,86,545,86,352]},"bins": {"c_to_s": [9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1]}}
 01671{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}}
 00803{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688611238,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688611238,"pkt":"qtsDr8lk5EKm5WPyht1gDEO\/ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATQaDRQpB0IHggC2mzgBu\/F3Z44AAAAAoAL9IIe6AAACBAWgBAIICvY2BR4AAAAAAQMDBw=="}
@@ -280,7 +280,7 @@
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4267,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688749044,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688786435,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgFAAAAAAAAIAQqAcsBIEmLB5kd7IUo3\/YpAbvfwoEYYXPjQDuzoBJXgOVIAAACBAV4AQMDAwQCCArC10M\/bf\/I8g=="}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4268,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1605291688786460,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291688786460,"pkt":"qtsDr8lk5EKm5WPyht1gCJDMACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAE38IBu+NAO7OBGGF0gBAB+2k0AAABAQgKbf\/JGMLXQz8="}
 01155{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4269,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688786633,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688786633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688786771,"flow_dst_last_pkt_time":1605291688811895,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1624,"flow_dst_tot_l4_payload_len":5905,"midstream":0,"thread_ts_usec":1605291688811895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12972.1,"max":51136,"stddev":18175.8,"var":330360896.0,"ent":3.5,"data": [43010,43065,309,41280,10189,51136,400,38397,3509,41489,471,1,468,4,62,52,2291,169,102,38533,1,35978,9,3,58,5162,2233,17560,249,0,0,0]},"pktlen": {"min":86,"avg":321.8,"max":1294,"stddev":396.4,"var":157103.1,"ent":4.2,"data": [94,94,86,603,86,185,86,609,86,1294,86,1294,1294,86,86,423,86,160,178,473,86,341,341,182,86,86,86,117,86,86,117,1294]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01734{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688786771,"flow_dst_last_pkt_time":1605291688811895,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1624,"flow_dst_tot_l4_payload_len":5905,"midstream":0,"thread_ts_usec":1605291688811895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12972.1,"max":51136,"stddev":18175.8,"var":330360896.0,"ent":3.5,"data": [43010,43065,309,41280,10189,51136,400,38397,3509,41489,471,1,468,4,62,52,2291,169,102,38533,1,35978,9,3,58,5162,2233,17560,249]},"pktlen": {"min":86,"avg":321.8,"max":1294,"stddev":396.4,"var":157103.1,"ent":4.2,"data": [94,94,86,603,86,185,86,609,86,1294,86,1294,1294,86,86,423,86,160,178,473,86,341,341,182,86,86,86,117,86,86,117,1294]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":4414,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688712501,"flow_src_last_pkt_time":1605291688754330,"flow_dst_last_pkt_time":1605291688813598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688813598,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"static.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688830061,"flow_dst_last_pkt_time":1605291688830061,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688830061,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688830061,"flow_dst_last_pkt_time":1605291688830061,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688830061,"pkt":"qtsDr8lk5EKm5WPyht1gBrB0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAB4woBuyKqv5AAAAAAoAL9IFwjAAACBAWgBAIICu7gTZEAAAAAAQMDBw=="}
@@ -302,15 +302,15 @@
 01150{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4861,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688894065,"flow_dst_last_pkt_time":1605291688893806,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688894065,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688831210,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688894545,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgVAAAAAAAAIBYqAcsBIEmLB5kd7IUo3\/YpAbvMSCvRvaZMy7vtoBJXgIUlAAACBAV4AQMDAwQCCArC10OaRJp0xw=="}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4867,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1605291688894570,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291688894570,"pkt":"qtsDr8lk5EKm5WPyht1gDPOvACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFQAAAAAAACAWzEgBu0zLu+0r0b2ngBAB+wj4AAABAQgKRJp1BsLXQ5o="}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688895635,"flow_dst_last_pkt_time":1605291688895679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":990,"flow_dst_tot_l4_payload_len":9898,"midstream":0,"thread_ts_usec":1605291688895679,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10111.2,"max":62320,"stddev":17971.1,"var":322959648.0,"ent":3.0,"data": [37391,37416,173,47446,15044,62320,24,361,320,2535,232,269,39947,114,2294,39328,242,2903,2650,782,796,254,1,2,253,13,20,95,1,0,0,0]},"pktlen": {"min":86,"avg":426.8,"max":1294,"stddev":483.3,"var":233579.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,303,86,150,178,372,86,86,86,666,86,117,511,86,1294,86,1294,1294,1294,86,86,86,1294,306]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688895635,"flow_dst_last_pkt_time":1605291688895679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":990,"flow_dst_tot_l4_payload_len":9898,"midstream":0,"thread_ts_usec":1605291688895679,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10111.2,"max":62320,"stddev":17971.1,"var":322959648.0,"ent":3.0,"data": [37391,37416,173,47446,15044,62320,24,361,320,2535,232,269,39947,114,2294,39328,242,2903,2650,782,796,254,1,2,253,13,20,95,1]},"pktlen": {"min":86,"avg":426.8,"max":1294,"stddev":483.3,"var":233579.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,303,86,150,178,372,86,86,86,666,86,117,511,86,1294,86,1294,1294,1294,86,86,86,1294,306]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01148{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4885,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291688895701,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688895701,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01195{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5588,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688894065,"flow_dst_last_pkt_time":1605291688963049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01193{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5606,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291688895701,"flow_dst_last_pkt_time":1605291688963101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963101,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291688889651,"flow_dst_last_pkt_time":1605291688963103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963103,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fonts.gstatic.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5621,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688843948,"flow_src_last_pkt_time":1605291688889830,"flow_dst_last_pkt_time":1605291688963145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963145,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fonts.gstatic.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5669,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291689005944,"flow_dst_last_pkt_time":1605291689006046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":8982,"midstream":0,"thread_ts_usec":1605291689006046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13032.1,"max":68993,"stddev":23942.8,"var":573258176.0,"ent":2.8,"data": [63745,63780,224,68524,719,1,1,1,68993,14,7,6,49,23,8336,2581,2495,40185,1017,27807,170,1594,1,1430,17,147,1,0,0,0,0,0]},"pktlen": {"min":86,"avg":399.7,"max":1294,"stddev":459.2,"var":210886.5,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,1294,86,86,86,86,483,86,150,178,421,86,666,86,86,86,117,117,517,86,86,1294,1294,342,125]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
-01717{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5691,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291689013039,"flow_dst_last_pkt_time":1605291689013078,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":9699,"midstream":0,"thread_ts_usec":1605291689013078,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12082.8,"max":73480,"stddev":21188.9,"var":448969504.0,"ent":3.0,"data": [45331,45373,379,65680,8193,73480,42,21,5,12589,926,174,173,41157,1595,28896,105,3348,1,3744,1,1,6991,22,3,3,85,1,0,0,0,0]},"pktlen": {"min":86,"avg":423.5,"max":1294,"stddev":484.5,"var":234727.2,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,355,86,86,150,178,387,167,86,666,86,117,86,86,86,480,1294,1294,1294,86,86,86,86,1294,1294]},"bins": {"c_to_s": [11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5714,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291689029453,"flow_dst_last_pkt_time":1605291689029440,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1007,"flow_dst_tot_l4_payload_len":10130,"midstream":0,"thread_ts_usec":1605291689029453,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14159.8,"max":67787,"stddev":23093.6,"var":533315104.0,"ent":3.2,"data": [63335,63360,1131,67787,769,1,1,67414,6,6,11732,1751,188,41623,368,28482,452,4153,1923,5466,17937,17942,106,77,226,1,229,7,0,0,0,0]},"pktlen": {"min":86,"avg":434.5,"max":1294,"stddev":488.8,"var":238946.4,"ent":4.2,"data": [94,94,86,603,86,1294,1294,765,86,86,86,150,178,389,86,666,86,117,86,86,117,86,470,86,1294,86,1294,1294,1294,1294,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5669,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291689005944,"flow_dst_last_pkt_time":1605291689006046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":8982,"midstream":0,"thread_ts_usec":1605291689006046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13032.1,"max":68993,"stddev":23942.8,"var":573258176.0,"ent":2.8,"data": [63745,63780,224,68524,719,1,1,1,68993,14,7,6,49,23,8336,2581,2495,40185,1017,27807,170,1594,1,1430,17,147,1]},"pktlen": {"min":86,"avg":399.7,"max":1294,"stddev":459.2,"var":210886.5,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,1294,86,86,86,86,483,86,150,178,421,86,666,86,86,86,117,117,517,86,86,1294,1294,342,125]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5691,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291689013039,"flow_dst_last_pkt_time":1605291689013078,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":9699,"midstream":0,"thread_ts_usec":1605291689013078,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12082.8,"max":73480,"stddev":21188.9,"var":448969504.0,"ent":3.0,"data": [45331,45373,379,65680,8193,73480,42,21,5,12589,926,174,173,41157,1595,28896,105,3348,1,3744,1,1,6991,22,3,3,85,1]},"pktlen": {"min":86,"avg":423.5,"max":1294,"stddev":484.5,"var":234727.2,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,355,86,86,150,178,387,167,86,666,86,117,86,86,86,480,1294,1294,1294,86,86,86,86,1294,1294]},"bins": {"c_to_s": [11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5714,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291689029453,"flow_dst_last_pkt_time":1605291689029440,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1007,"flow_dst_tot_l4_payload_len":10130,"midstream":0,"thread_ts_usec":1605291689029453,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14159.8,"max":67787,"stddev":23093.6,"var":533315104.0,"ent":3.2,"data": [63335,63360,1131,67787,769,1,1,67414,6,6,11732,1751,188,41623,368,28482,452,4153,1923,5466,17937,17942,106,77,226,1,229,7]},"pktlen": {"min":86,"avg":434.5,"max":1294,"stddev":488.8,"var":238946.4,"ent":4.2,"data": [94,94,86,603,86,1294,1294,765,86,86,86,150,178,389,86,666,86,117,86,86,117,86,470,86,1294,86,1294,1294,1294,1294,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689408040,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291689408040,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689408040,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291689408040,"pkt":"qtsDr8lk5EKm5WPyht1gCYSFACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3UABuxOPoYYAAAAAoAL9IMRnAAACBAWgBAIICql08xMAAAAAAQMDBw=="}
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7110,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689433785,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291689433785,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdQHZ86cETj6GHoBJXgAFCAAACBAV4AQMDAwQCCArC10XLqXTzEw=="}
@@ -318,7 +318,7 @@
 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7112,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689433785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291689434011,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01216{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8671,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689577976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291689577976,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01485{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8678,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689578012,"flow_dst_last_pkt_time":1605291689578047,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291689578047,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}}
-01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16756.9,"max":144189,"stddev":37481.1,"var":1404833920.0,"ent":2.7,"data": [25745,25768,203,144189,2,143997,4,71,1,41,7,2508,597,1253,49737,1,1,45397,18,103,1,65,704,437,888,38392,2516,1067,2238,0,0,0]},"pktlen": {"min":86,"avg":277.2,"max":1134,"stddev":320.8,"var":102914.8,"ent":4.3,"data": [94,94,86,603,86,1134,1134,86,86,1134,601,86,86,179,185,485,86,86,344,152,86,86,86,453,86,124,580,156,86,86,86,128]},"bins": {"c_to_s": [9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1]}}
+01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16756.9,"max":144189,"stddev":37481.1,"var":1404833920.0,"ent":2.7,"data": [25745,25768,203,144189,2,143997,4,71,1,41,7,2508,597,1253,49737,1,1,45397,18,103,1,65,704,437,888,38392,2516,1067,2238]},"pktlen": {"min":86,"avg":277.2,"max":1134,"stddev":320.8,"var":102914.8,"ent":4.3,"data": [94,94,86,603,86,1134,1134,86,86,1134,601,86,86,179,185,485,86,86,344,152,86,86,86,453,86,124,580,156,86,86,86,128]},"bins": {"c_to_s": [9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1]}}
 01488{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}}
 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690373466,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690373466,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690373466,"pkt":"qtsDr8lk5EKm5WPyht1gB68TACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxz4Buz6Su2UAAAAAoAL9IFr7AAACBAWgBAIIClRf7UgAAAAAAQMDBw=="}
@@ -345,8 +345,8 @@
 01262{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9134,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690449801,"flow_dst_last_pkt_time":1605291690483975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291690483975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690405354,"flow_src_last_pkt_time":1605291690440589,"flow_dst_last_pkt_time":1605291690501383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1360,"midstream":0,"thread_ts_usec":1605291690501383,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"aax-eu.amazon-adsystem.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01525{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9166,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605291690405354,"flow_src_last_pkt_time":1605291690502241,"flow_dst_last_pkt_time":1605291690502750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5440,"midstream":0,"thread_ts_usec":1605291690502750,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"aax-eu.amazon-adsystem.com","tls": {"version":"TLSv1.2","server_names":"aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Amazon, OU=Server CA 1B, CN=Amazon","subjectDN":"CN=aax-eu.amazon-adsystem.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B"}}}
-01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690495032,"flow_dst_last_pkt_time":1605291690511816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":5622,"midstream":0,"thread_ts_usec":1605291690511816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7680.9,"max":45875,"stddev":12464.9,"var":155373568.0,"ent":3.4,"data": [18528,18557,358,37185,9026,1,2,1,45875,10,14,14,8672,419,266,33620,1,89,1151,1,25433,25,482,7313,1,1,6808,24,7,3698,20526,0]},"pktlen": {"min":86,"avg":294.1,"max":1294,"stddev":371.7,"var":138197.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,287,86,86,86,86,150,178,363,86,86,86,666,117,86,86,117,789,530,125,86,86,86,125,86]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9193,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690527565,"flow_dst_last_pkt_time":1605291690527527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1054,"flow_dst_tot_l4_payload_len":6986,"midstream":0,"thread_ts_usec":1605291690527565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7102.9,"max":34221,"stddev":11390.5,"var":129743840.0,"ent":3.4,"data": [28106,28139,660,33241,1626,34221,71,30,636,643,4625,213,224,27018,3512,25468,241,4283,1409,5453,77,6348,1,6424,34,8,196,1,158,22,0,0]},"pktlen": {"min":86,"avg":337.8,"max":1294,"stddev":408.2,"var":166632.7,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,86,548,86,150,178,436,86,666,86,117,86,117,86,86,496,1294,1294,86,86,86,718,125,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
+01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690495032,"flow_dst_last_pkt_time":1605291690511816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":5622,"midstream":0,"thread_ts_usec":1605291690511816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7680.9,"max":45875,"stddev":12464.9,"var":155373568.0,"ent":3.4,"data": [18528,18557,358,37185,9026,1,2,1,45875,10,14,14,8672,419,266,33620,1,89,1151,1,25433,25,482,7313,1,1,6808,24,7,3698,20526]},"pktlen": {"min":86,"avg":294.1,"max":1294,"stddev":371.7,"var":138197.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,287,86,86,86,86,150,178,363,86,86,86,666,117,86,86,117,789,530,125,86,86,86,125,86]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9193,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690527565,"flow_dst_last_pkt_time":1605291690527527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1054,"flow_dst_tot_l4_payload_len":6986,"midstream":0,"thread_ts_usec":1605291690527565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7102.9,"max":34221,"stddev":11390.5,"var":129743840.0,"ent":3.4,"data": [28106,28139,660,33241,1626,34221,71,30,636,643,4625,213,224,27018,3512,25468,241,4283,1409,5453,77,6348,1,6424,34,8,196,1,158,22]},"pktlen": {"min":86,"avg":337.8,"max":1294,"stddev":408.2,"var":166632.7,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,86,548,86,150,178,436,86,666,86,117,86,117,86,86,496,1294,1294,86,86,86,718,125,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291690926655,"flow_dst_last_pkt_time":1605291690926655,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690926655,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690926655,"flow_dst_last_pkt_time":1605291690926655,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690926655,"pkt":"qtsDr8lk5EKm5WPyht1gDDgdACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICAAAAAAAACABttYBu\/eX0dQAAAAAoAL9IKwyAAACBAWgBAIIChrDFp8AAAAAAQMDBw=="}
 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9280,"source":"reddit.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690926734,"flow_src_last_pkt_time":1605291690926734,"flow_dst_last_pkt_time":1605291690926734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690926734,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46808,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -411,9 +411,9 @@
 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690926978,"flow_src_last_pkt_time":1605291690957682,"flow_dst_last_pkt_time":1605291691004686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291691004686,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"tpc.googlesyndication.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9475,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":2,"flow_src_last_pkt_time":1605291690992851,"flow_dst_last_pkt_time":1605291691029572,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291691029572,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQbO1037mLrsxooBJXgErvAAACBAV4AQMDAwQCCArC10wIuJU7dg=="}
 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9476,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":3,"flow_src_last_pkt_time":1605291691029601,"flow_dst_last_pkt_time":1605291691029572,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":74,"pkt_l4_len":20,"thread_ts_usec":1605291691029601,"pkt":"qtsDr8lk5EKm5WPyht1gBfK\/ABQGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGwBu4uuzGgAAAAAUAQAANo6AAA="}
-01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291691043702,"flow_dst_last_pkt_time":1605291691043566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1291,"flow_dst_tot_l4_payload_len":11382,"midstream":0,"thread_ts_usec":1605291691043702,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7798.6,"max":42183,"stddev":12366.5,"var":152931424.0,"ent":3.3,"data": [25564,25583,1059,31489,7154,1,37586,36,127,1,1,1,87,28,7124,13598,568,199,42183,2,20688,340,10112,7,263,1,3,2,10101,50,0,0]},"pktlen": {"min":86,"avg":482.5,"max":1294,"stddev":513.4,"var":263601.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,1294,1294,1294,1294,234,86,86,150,178,356,403,86,666,86,117,86,86,86,1076,1294,1294,86,86]},"bins": {"c_to_s": [10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9585,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926912,"flow_src_last_pkt_time":1605291691067608,"flow_dst_last_pkt_time":1605291691069122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1326,"flow_dst_tot_l4_payload_len":6622,"midstream":0,"thread_ts_usec":1605291691069122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9430.2,"max":45897,"stddev":14278.1,"var":203864128.0,"ent":3.4,"data": [29535,29546,105,39799,6197,1,1,45897,20,10,16645,7440,877,217,45409,188,20393,461,14689,1873,1,1,16098,2949,2,2950,29,8,1564,1,0,0]},"pktlen": {"min":86,"avg":334.9,"max":1294,"stddev":398.4,"var":158685.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,325,86,86,86,150,178,405,389,86,666,86,117,86,117,86,86,86,565,412,221,86,86,86,1294,1294]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
-01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9629,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926867,"flow_src_last_pkt_time":1605291691075065,"flow_dst_last_pkt_time":1605291691075150,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":5335,"midstream":0,"thread_ts_usec":1605291691075150,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9882.7,"max":43801,"stddev":13582.8,"var":184491312.0,"ent":3.6,"data": [28655,28663,221,37924,6057,43801,75,33,588,595,16415,9761,878,43789,3898,20653,579,14876,1700,16044,10542,2,1,1,10492,40,13,10,172,3,0,0]},"pktlen": {"min":86,"avg":284.1,"max":1294,"stddev":336.6,"var":113301.5,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,86,586,86,150,178,369,86,666,86,117,86,117,86,86,545,911,286,371,86,86,86,86,125,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291691043702,"flow_dst_last_pkt_time":1605291691043566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1291,"flow_dst_tot_l4_payload_len":11382,"midstream":0,"thread_ts_usec":1605291691043702,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7798.6,"max":42183,"stddev":12366.5,"var":152931424.0,"ent":3.3,"data": [25564,25583,1059,31489,7154,1,37586,36,127,1,1,1,87,28,7124,13598,568,199,42183,2,20688,340,10112,7,263,1,3,2,10101,50]},"pktlen": {"min":86,"avg":482.5,"max":1294,"stddev":513.4,"var":263601.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,1294,1294,1294,1294,234,86,86,150,178,356,403,86,666,86,117,86,86,86,1076,1294,1294,86,86]},"bins": {"c_to_s": [10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9585,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926912,"flow_src_last_pkt_time":1605291691067608,"flow_dst_last_pkt_time":1605291691069122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1326,"flow_dst_tot_l4_payload_len":6622,"midstream":0,"thread_ts_usec":1605291691069122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9430.2,"max":45897,"stddev":14278.1,"var":203864128.0,"ent":3.4,"data": [29535,29546,105,39799,6197,1,1,45897,20,10,16645,7440,877,217,45409,188,20393,461,14689,1873,1,1,16098,2949,2,2950,29,8,1564,1]},"pktlen": {"min":86,"avg":334.9,"max":1294,"stddev":398.4,"var":158685.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,325,86,86,86,150,178,405,389,86,666,86,117,86,117,86,86,86,565,412,221,86,86,86,1294,1294]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}}
+01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9629,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926867,"flow_src_last_pkt_time":1605291691075065,"flow_dst_last_pkt_time":1605291691075150,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":5335,"midstream":0,"thread_ts_usec":1605291691075150,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9882.7,"max":43801,"stddev":13582.8,"var":184491312.0,"ent":3.6,"data": [28655,28663,221,37924,6057,43801,75,33,588,595,16415,9761,878,43789,3898,20653,579,14876,1700,16044,10542,2,1,1,10492,40,13,10,172,3]},"pktlen": {"min":86,"avg":284.1,"max":1294,"stddev":336.6,"var":113301.5,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,86,586,86,150,178,369,86,666,86,117,86,117,86,86,545,911,286,371,86,86,86,86,125,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291696948991,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696948991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291696948991,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696948991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291696948991,"pkt":"qtsDr8lk5EKm5WPyht1gDNdJACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAA006zst54Bu3jHKBQAAAAAoAL9IL45AAACBAWgBAIIClIhuaMAAAAAAQMDBw=="}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11227,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696965238,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291696965238,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAADTTrOwqAcsBIEmLB5kd7IUo3\/YpAbu3nh9OKxV4xygVoBJXgPOCAAACBAV4AQMDAwQCCArC12M3UiG5ow=="}
@@ -491,10 +491,10 @@
 ~~ total active/idle flows...: 60/60
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7187784 bytes
-~~ total memory freed........: 7187784 bytes
+~~ total memory allocated....: 7187544 bytes
+~~ total memory freed........: 7187544 bytes
 ~~ total allocations/frees...: 134232/134232
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1745 chars
-~~ json string avg len.......: 1118 chars
+~~ json string max len.......: 1740 chars
+~~ json string avg len.......: 1115 chars
diff --git a/test/results/riotgames.pcap.out b/test/results/riotgames.pcap.out
index aa7ce2384..c2a14840f 100644
--- a/test/results/riotgames.pcap.out
+++ b/test/results/riotgames.pcap.out
@@ -64,8 +64,8 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049945 bytes
-~~ total memory freed........: 6049945 bytes
+~~ total memory allocated....: 6049909 bytes
+~~ total memory freed........: 6049909 bytes
 ~~ total allocations/frees...: 121611/121611
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/rsh-syslog-false-positive.pcap.out b/test/results/rsh-syslog-false-positive.pcap.out
index 546aedf32..53c25fd19 100644
--- a/test/results/rsh-syslog-false-positive.pcap.out
+++ b/test/results/rsh-syslog-false-positive.pcap.out
@@ -19,8 +19,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035877 bytes
-~~ total memory freed........: 6035877 bytes
+~~ total memory allocated....: 6035873 bytes
+~~ total memory freed........: 6035873 bytes
 ~~ total allocations/frees...: 121495/121495
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 259 chars
diff --git a/test/results/rsh.pcap.out b/test/results/rsh.pcap.out
index b9a38a7b6..242f4483f 100644
--- a/test/results/rsh.pcap.out
+++ b/test/results/rsh.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042151 bytes
-~~ total memory freed........: 6042151 bytes
+~~ total memory allocated....: 6042143 bytes
+~~ total memory freed........: 6042143 bytes
 ~~ total allocations/frees...: 121525/121525
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/rsync.pcap.out b/test/results/rsync.pcap.out
index 3706e5aa5..0582d9a64 100644
--- a/test/results/rsync.pcap.out
+++ b/test/results/rsync.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038563 bytes
-~~ total memory freed........: 6038563 bytes
+~~ total memory allocated....: 6038559 bytes
+~~ total memory freed........: 6038559 bytes
 ~~ total allocations/frees...: 121518/121518
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/rtmp.pcap.out b/test/results/rtmp.pcap.out
index 61fd11b64..fb4c72863 100644
--- a/test/results/rtmp.pcap.out
+++ b/test/results/rtmp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038447 bytes
-~~ total memory freed........: 6038447 bytes
+~~ total memory allocated....: 6038443 bytes
+~~ total memory freed........: 6038443 bytes
 ~~ total allocations/frees...: 121514/121514
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/rtsp.pcap.out b/test/results/rtsp.pcap.out
index b9ad4c8c4..8d6468d97 100644
--- a/test/results/rtsp.pcap.out
+++ b/test/results/rtsp.pcap.out
@@ -10,39 +10,39 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1627567279015798,"flow_dst_last_pkt_time":1627567279015763,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567279015798,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRW5UAAgAaM0AoBAQoKAgICzPghaqHfszoAAAAAgAL68BmUAAACBAW0AQMDCAEBBAI="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1627567279015800,"flow_dst_last_pkt_time":1627567279015763,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567279015800,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRW5UAAfwaN0AoBAQoKAgICzPghaqHfszoAAAAAgAL68BmUAAACBAW0AQMDCAEBBAI="}
 00975{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279029411,"flow_dst_last_pkt_time":1627567279016046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567279029411,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
-01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279050715,"flow_dst_last_pkt_time":1627567279050859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567279050859,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2259.6,"max":21135,"stddev":5876.1,"var":34528696.0,"ent":2.2,"data": [35,2,147,185,74,3,21,233,32,2,57,13140,10,5,57,13537,3,20,31,20633,10,29,32,21135,10,3,84,464,2,22,30,0]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279050715,"flow_dst_last_pkt_time":1627567279050859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567279050859,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2259.6,"max":21135,"stddev":5876.1,"var":34528696.0,"ent":2.2,"data": [35,2,147,185,74,3,21,233,32,2,57,13140,10,5,57,13537,3,20,31,20633,10,29,32,21135,10,3,84,464,2,22,30]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":109,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338841836,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567338841836,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1627567338841836,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841836,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXFEAAgAaMoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1627567338841847,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841847,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXFEAAgAaMoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1627567338841853,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841853,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXFEAAfwaNoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="}
 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":121,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338851945,"flow_dst_last_pkt_time":1627567338842169,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567338851945,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
-01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338873699,"flow_dst_last_pkt_time":1627567338873793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567338873793,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":2058.7,"max":21234,"stddev":5470.2,"var":29923468.0,"ent":2.2,"data": [11,6,72,280,3,19,31,588,10,4,95,9323,12,6,70,10052,3,20,30,20464,12,35,38,21234,11,6,415,877,63,5,25,0]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,62,56,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338873699,"flow_dst_last_pkt_time":1627567338873793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567338873793,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":2058.7,"max":21234,"stddev":5470.2,"var":29923468.0,"ent":2.2,"data": [11,6,72,280,3,19,31,588,10,4,95,9323,12,6,70,10052,3,20,30,20464,12,35,38,21234,11,6,415,877,63,5,25]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,62,56,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":193,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398644402,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567398644402,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":193,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1627567398644402,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644402,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXQ0AAgAaMcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":194,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1627567398644413,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644413,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXQ0AAgAaMcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":195,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1627567398644419,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644419,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXQ0AAfwaNcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="}
 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":205,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398650712,"flow_dst_last_pkt_time":1627567398644910,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567398650712,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
-01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":224,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398672191,"flow_dst_last_pkt_time":1627567398672567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567398672567,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1805.0,"max":21000,"stddev":5109.4,"var":26105754.0,"ent":2.2,"data": [11,6,298,316,75,4,113,848,111,3,200,4833,13,7,374,6198,62,5,77,20136,13,74,34,21000,11,7,67,946,6,27,79,0]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":224,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398672191,"flow_dst_last_pkt_time":1627567398672567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567398672567,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1805.0,"max":21000,"stddev":5109.4,"var":26105754.0,"ent":2.2,"data": [11,6,298,316,75,4,113,848,111,3,200,4833,13,7,374,6198,62,5,77,20136,13,74,34,21000,11,7,67,946,6,27,79]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406342871,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567406342871,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1627567406342871,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342871,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXW0AAgAaMWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":290,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1627567406342884,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342884,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXW0AAgAaMWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":291,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1627567406342896,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342896,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXW0AAfwaNWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="}
 00977{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":309,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":8,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849577,"flow_dst_last_pkt_time":1627567406849152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567406849577,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
-01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849646,"flow_dst_last_pkt_time":1627567406870301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567406870301,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":33361.5,"max":505214,"stddev":123872.6,"var":15344430080.0,"ent":1.2,"data": [13,12,110,1319,2,16,338,505214,14,12,119,504501,5,45,55,1025,12,6,56,113,30,3,36,579,55,2,21,20351,8,26,107,0]},"pktlen": {"min":56,"avg":92.3,"max":181,"stddev":48.8,"var":2380.7,"ent":4.8,"data": [68,68,68,68,62,56,62,62,68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181]},"bins": {"c_to_s": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01756{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849646,"flow_dst_last_pkt_time":1627567406870301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567406870301,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":33361.5,"max":505214,"stddev":123872.6,"var":15344430080.0,"ent":1.2,"data": [13,12,110,1319,2,16,338,505214,14,12,119,504501,5,45,55,1025,12,6,56,113,30,3,36,579,55,2,21,20351,8,26,107]},"pktlen": {"min":56,"avg":92.3,"max":181,"stddev":48.8,"var":2380.7,"ent":4.8,"data": [68,68,68,68,62,56,62,62,68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181]},"bins": {"c_to_s": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 01018{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":381,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":8,"flow_first_seen":1627567277506127,"flow_src_last_pkt_time":1627567277506259,"flow_dst_last_pkt_time":1627567277506605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":149,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":596,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1627567407043157,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52470,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":393,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466882987,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567466882987,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":393,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1627567466882987,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466882987,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXikAAgAaMKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":394,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1627567466883000,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466883000,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXikAAgAaMKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1627567466883010,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466883010,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXikAAfwaNKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="}
 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":405,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466894186,"flow_dst_last_pkt_time":1627567466883471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567466894186,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
-01756{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":424,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466918846,"flow_dst_last_pkt_time":1627567466919056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567466919056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2320.3,"max":23771,"stddev":5847.6,"var":34194776.0,"ent":2.4,"data": [13,10,107,377,5,25,77,583,10,4,135,10337,14,11,11449,2,754,44,76,20263,13,28,87,23771,10,4,96,3496,1,20,106,0]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,62,56,172,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":424,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466918846,"flow_dst_last_pkt_time":1627567466919056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567466919056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2320.3,"max":23771,"stddev":5847.6,"var":34194776.0,"ent":2.4,"data": [13,10,107,377,5,25,77,583,10,4,135,10337,14,11,11449,2,754,44,76,20263,13,28,87,23771,10,4,96,3496,1,20,106]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,62,56,172,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":477,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":56,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567337246837,"flow_dst_last_pkt_time":1627567337247147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3772,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567467094146,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":485,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528106056,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567528106056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":485,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1627567528106056,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106056,"pkt":"AAMAAQAGAAwp8x5yLpgIAEUAADRXuEAAgAaL\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1627567528106069,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106069,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXuEAAgAaL\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":487,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1627567528106081,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106081,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXuEAAfwaM\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="}
 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":497,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528113539,"flow_dst_last_pkt_time":1627567528106633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567528113539,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
-01748{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":516,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528134816,"flow_dst_last_pkt_time":1627567528135319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567528135319,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":1871.7,"max":21029,"stddev":5194.1,"var":26978296.0,"ent":2.2,"data": [13,12,126,440,5,40,92,581,9,4,94,6644,14,9,113,7455,6,53,93,20043,15,52,57,21029,9,6,97,810,5,21,76,0]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
+01746{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":516,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528134816,"flow_dst_last_pkt_time":1627567528135319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567528135319,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":1871.7,"max":21029,"stddev":5194.1,"var":26978296.0,"ent":2.2,"data": [13,12,126,440,5,40,92,581,9,4,94,6644,14,9,113,7455,6,53,93,20043,15,52,57,21029,9,6,97,810,5,21,76]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":44,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567397145857,"flow_dst_last_pkt_time":1627567397146153,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3772,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":52,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567406306458,"flow_dst_last_pkt_time":1627567406309520,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3176,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":60,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567465366594,"flow_dst_last_pkt_time":1627567465366846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":7540,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}}
@@ -57,10 +57,10 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6076889 bytes
-~~ total memory freed........: 6076889 bytes
+~~ total memory allocated....: 6076861 bytes
+~~ total memory freed........: 6076861 bytes
 ~~ total allocations/frees...: 122145/122145
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1763 chars
-~~ json string avg len.......: 1125 chars
+~~ json string max len.......: 1761 chars
+~~ json string avg len.......: 1124 chars
diff --git a/test/results/rtsp_setup_http.pcapng.out b/test/results/rtsp_setup_http.pcapng.out
index 53213a284..79c57580d 100644
--- a/test/results/rtsp_setup_http.pcapng.out
+++ b/test/results/rtsp_setup_http.pcapng.out
@@ -13,8 +13,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037774 bytes
-~~ total memory freed........: 6037774 bytes
+~~ total memory allocated....: 6037770 bytes
+~~ total memory freed........: 6037770 bytes
 ~~ total allocations/frees...: 121490/121490
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 502 chars
diff --git a/test/results/rx.pcap.out b/test/results/rx.pcap.out
index 39a77b5fd..ce7f4115a 100644
--- a/test/results/rx.pcap.out
+++ b/test/results/rx.pcap.out
@@ -25,7 +25,7 @@
 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1460647299986990,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":108,"pkt_l4_len":74,"thread_ts_usec":1460647300017623,"pkt":"AAjK968mPIqwbTfwCABFAABeUWIAADoRQO7Ap858g3LbqBtYG1kASjJ01w+zMFwiT7QAAAABAAAAAAAAAAECIgAAXV0AAQAAAAAAAAABAAAAAQAAAAAGAQEAAAAAAAWkAAAFpAAAABAAAAAB"}
 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1460647299986990,"flow_src_last_pkt_time":1460647299986990,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":66,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":66,"midstream":0,"thread_ts_usec":1460647300017623,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":7001,"dst_port":7000,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1460647300017672,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":107,"pkt_l4_len":73,"thread_ts_usec":1460647300017672,"pkt":"PIqwbTfwAAjK968mCABFAABd9xIAAEARlT6DctuowKfOfBtZG1gASacR1w+zMFwiT7QAAAABAAAAAAAAAAICIQAAAAAAAQAAAAAAAAABAAAAAAAAAAEHAAAAAAAAFjwAAAWkAAAAEAAAAAQ="}
-01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":61,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647300147650,"flow_dst_last_pkt_time":1460647300150407,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":2528,"flow_dst_tot_l4_payload_len":1781,"midstream":0,"thread_ts_usec":1460647300150407,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":52,"avg":28663.1,"max":105287,"stddev":33586.2,"var":1128029952.0,"ent":4.0,"data": [77545,77601,57048,57152,38155,1292,39484,65722,277,65926,103176,105287,2087,8975,9068,2966,1842,4798,61436,65225,3784,52,6802,6683,61,3692,3703,4895,8042,2994,2787,0]},"pktlen": {"min":70,"avg":176.7,"max":782,"stddev":165.9,"var":27529.2,"ent":4.5,"data": [74,108,107,74,510,107,118,70,107,78,107,94,86,435,74,510,107,198,107,174,782,107,94,198,107,110,214,107,94,86,435,74]},"bins": {"c_to_s": [1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
+01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":61,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647300147650,"flow_dst_last_pkt_time":1460647300150407,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":2528,"flow_dst_tot_l4_payload_len":1781,"midstream":0,"thread_ts_usec":1460647300150407,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":52,"avg":28663.1,"max":105287,"stddev":33586.2,"var":1128029952.0,"ent":4.0,"data": [77545,77601,57048,57152,38155,1292,39484,65722,277,65926,103176,105287,2087,8975,9068,2966,1842,4798,61436,65225,3784,52,6802,6683,61,3692,3703,4895,8042,2994,2787]},"pktlen": {"min":70,"avg":176.7,"max":782,"stddev":165.9,"var":27529.2,"ent":4.5,"data": [74,108,107,74,510,107,118,70,107,78,107,94,86,435,74,510,107,198,107,174,782,107,94,198,107,110,214,107,94,86,435,74]},"bins": {"c_to_s": [1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1460647264018403,"flow_src_last_pkt_time":1460647264026325,"flow_dst_last_pkt_time":1460647264026287,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":292,"flow_dst_max_l4_payload_len":36,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":36,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":41559,"dst_port":7002,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1460647299986990,"flow_src_last_pkt_time":1460647320158051,"flow_dst_last_pkt_time":1460647300312692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":637,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":31,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647320158014,"flow_dst_last_pkt_time":1460647300329629,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":4792,"flow_dst_tot_l4_payload_len":4266,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}}
@@ -40,8 +40,8 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045985 bytes
-~~ total memory freed........: 6045985 bytes
+~~ total memory allocated....: 6045965 bytes
+~~ total memory freed........: 6045965 bytes
 ~~ total allocations/frees...: 121659/121659
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 487 chars
diff --git a/test/results/s7comm.pcap.out b/test/results/s7comm.pcap.out
index e562ef882..c70c2388a 100644
--- a/test/results/s7comm.pcap.out
+++ b/test/results/s7comm.pcap.out
@@ -5,7 +5,7 @@
 00861{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803880679,"flow_dst_last_pkt_time":1408528803880679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1408528803880679,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1408528803880679,"flow_dst_last_pkt_time":1408528803884414,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"thread_ts_usec":1408528803884414,"pkt":"kOa6hF5BABsbI+s7CABFAAA+AM4AAB4GGGrAqAEowKgBCgBmEFkAAvsQkETduFAYEAAGowAAAwAAFhHQAAcAAwDAAQrBAgEAwgIBAg=="}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1408528803884562,"flow_dst_last_pkt_time":1408528803884414,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1408528803884562,"pkt":"ABsbI+s7kOa6hF5BCABFAABBLUxAAIAGAADAqAEKwKgBKBBZAGaQRN24AAL7JlAY+tqDtgAAAwAAGQLwgDIBAAACAAAIAADwAAABAAEB4A=="}
-01672{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803957564,"flow_dst_last_pkt_time":1408528803957480,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":794,"midstream":1,"thread_ts_usec":1408528803957564,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":66,"avg":4957.6,"max":9013,"stddev":3321.6,"var":11033309.0,"ent":4.5,"data": [3735,3883,3114,3055,66,6981,6927,4642,8989,4385,568,7037,6437,271,5970,5746,295,9009,8666,204,8975,8763,201,9013,8819,232,8990,8762,250,4988,4713,0]},"pktlen": {"min":61,"avg":91.2,"max":275,"stddev":40.3,"var":1625.5,"ent":4.9,"data": [76,76,79,81,61,87,135,61,87,135,61,87,275,61,87,135,61,83,115,61,83,115,61,83,115,61,83,115,61,85,91,61]},"bins": {"c_to_s": [17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01670{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803957564,"flow_dst_last_pkt_time":1408528803957480,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":794,"midstream":1,"thread_ts_usec":1408528803957564,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":66,"avg":4957.6,"max":9013,"stddev":3321.6,"var":11033309.0,"ent":4.5,"data": [3735,3883,3114,3055,66,6981,6927,4642,8989,4385,568,7037,6437,271,5970,5746,295,9009,8666,204,8975,8763,201,9013,8819,232,8990,8762,250,4988,4713]},"pktlen": {"min":61,"avg":91.2,"max":275,"stddev":40.3,"var":1625.5,"ent":4.9,"data": [76,76,79,81,61,87,135,61,87,135,61,87,275,61,87,135,61,83,115,61,83,115,61,83,115,61,83,115,61,85,91,61]},"bins": {"c_to_s": [17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":55,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":36,"flow_dst_packets_processed":19,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528804003972,"flow_dst_last_pkt_time":1408528804016478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":247,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":1202,"flow_dst_tot_l4_payload_len":1088,"midstream":1,"thread_ts_usec":1408528804016478,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00558{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":55,"source":"s7comm.pcap","alias":"nDPId-test","packets-captured":55,"packets-processed":55,"total-skipped-flows":0,"total-l4-payload-len":2290,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1408528804016478}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037240 bytes
-~~ total memory freed........: 6037240 bytes
+~~ total memory allocated....: 6037236 bytes
+~~ total memory freed........: 6037236 bytes
 ~~ total allocations/frees...: 121542/121542
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1677 chars
-~~ json string avg len.......: 1031 chars
+~~ json string max len.......: 1675 chars
+~~ json string avg len.......: 1030 chars
diff --git a/test/results/safari.pcap.out b/test/results/safari.pcap.out
index a24b56dfc..eb9e6208c 100644
--- a/test/results/safari.pcap.out
+++ b/test/results/safari.pcap.out
@@ -17,7 +17,7 @@
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1620898025217296,"flow_dst_last_pkt_time":1620898025217296,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898025217296,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtfkAbuNFQaeAAAAALAC\/\/8+CAAAAgQFtAEDAwUBAQgKMzDJ1AAAAAAEAgAA"}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":33,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025217638,"flow_dst_last_pkt_time":1620898025217638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620898025217638,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1620898025217638,"flow_dst_last_pkt_time":1620898025217638,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898025217638,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtflAbtmxM47AAAAALAC\/\/+cugAAAgQFtAEDAwUBAQgKMzDJ1AAAAAAEAgAA"}
-01570{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":76603.5,"max":579033,"stddev":166832.5,"var":27833075712.0,"ent":2.8,"data": [28338,28438,576,28670,6985,69,14,35105,3,52717,81952,29,29304,948,28144,550635,1230,579033,248,252,138,105,115,138,126,100,428094,455026,4375,1236,32565,0]},"pktlen": {"min":66,"avg":569.5,"max":1506,"stddev":644.5,"var":415419.9,"ent":4.1,"data": [78,74,66,301,66,1506,1506,641,66,66,159,66,117,66,425,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,445,66,1506,1506,66]},"bins": {"c_to_s": [11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0]}}
+01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":76603.5,"max":579033,"stddev":166832.5,"var":27833075712.0,"ent":2.8,"data": [28338,28438,576,28670,6985,69,14,35105,3,52717,81952,29,29304,948,28144,550635,1230,579033,248,252,138,105,115,138,126,100,428094,455026,4375,1236,32565]},"pktlen": {"min":66,"avg":569.5,"max":1506,"stddev":644.5,"var":415419.9,"ent":4.1,"data": [78,74,66,301,66,1506,1506,641,66,66,159,66,117,66,425,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,445,66,1506,1506,66]},"bins": {"c_to_s": [11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0]}}
 01422{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","subjectDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}}}
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1620898025216866,"flow_dst_last_pkt_time":1620898025246476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620898025246476,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71+Mw2y0GI1TJC6AS\/oiwoAAAAgQFrAQCCAo6Vq73MzDJ0wEDAwc="}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1620898025246531,"flow_dst_last_pkt_time":1620898025246476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620898025246531,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EtfjAbsjVMkLMNstB4AQECzNqAAAAQEICjMwyew6Vq73"}
@@ -39,11 +39,11 @@
 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025249194,"flow_dst_last_pkt_time":1620898025279148,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025279148,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}}
 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":74,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025249268,"flow_dst_last_pkt_time":1620898025281225,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025281225,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}}
 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025252477,"flow_dst_last_pkt_time":1620898025284814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025284814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}}
-01836{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216866,"flow_src_last_pkt_time":1620898025482937,"flow_dst_last_pkt_time":1620898025510399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1135,"flow_dst_tot_l4_payload_len":16958,"midstream":0,"thread_ts_usec":1620898025510399,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55267,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18051.7,"max":118862,"stddev":28694.5,"var":823374080.0,"ent":3.5,"data": [29610,29665,2362,30524,2,28159,51917,8877,77853,8496,625,1248,27408,129,120,247,131,125,259,123,123,248,503,122,637,24023,24010,84464,7818,118862,914,0]},"pktlen": {"min":66,"avg":632.0,"max":1506,"stddev":660.5,"var":436248.1,"ent":4.2,"data": [78,74,66,277,66,207,66,117,508,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1043,66,66,497,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01836{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216193,"flow_src_last_pkt_time":1620898025515519,"flow_dst_last_pkt_time":1620898025515861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1102,"flow_dst_tot_l4_payload_len":16480,"midstream":0,"thread_ts_usec":1620898025515861,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19322.4,"max":140358,"stddev":32968.3,"var":1086907520.0,"ent":3.4,"data": [30407,30442,2425,30749,1690,30065,50340,8582,78328,9234,5001,125,33713,130,749,881,125,129,16,259,3,103964,6593,140358,1494,509,31816,122,126,243,376,0]},"pktlen": {"min":66,"avg":616.1,"max":1506,"stddev":656.6,"var":431150.1,"ent":4.1,"data": [78,74,66,277,66,207,66,117,472,66,66,1506,1506,66,1506,1506,66,1506,1506,565,66,66,66,500,66,1506,1506,66,1506,1506,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01836{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":260,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025519635,"flow_dst_last_pkt_time":1620898025519733,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16706,"midstream":0,"thread_ts_usec":1620898025519733,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":19559.5,"max":144002,"stddev":33697.1,"var":1135492736.0,"ent":3.4,"data": [31343,31380,1377,32375,996,31994,49530,8158,77501,8373,630,1247,30061,122,9,127,127,136,106790,7135,144002,5758,108,35937,131,121,250,128,122,249,129,0]},"pktlen": {"min":66,"avg":624.0,"max":1506,"stddev":657.1,"var":431734.9,"ent":4.2,"data": [78,74,66,277,66,207,66,117,503,66,66,1506,1506,66,1506,1506,66,791,66,66,497,66,1506,1506,66,1506,1506,66,1506,1506,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025521891,"flow_dst_last_pkt_time":1620898025521857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1125,"flow_dst_tot_l4_payload_len":16096,"midstream":0,"thread_ts_usec":1620898025521891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19628.1,"max":147007,"stddev":34082.4,"var":1161612032.0,"ent":3.3,"data": [33594,33644,1195,33573,9,32379,46938,8284,78165,6257,993,261,30448,865,3,877,105414,6486,147007,2135,111,37341,124,122,246,129,624,757,125,122,244,0]},"pktlen": {"min":66,"avg":604.8,"max":1506,"stddev":660.8,"var":436665.8,"ent":4.1,"data": [78,74,66,277,66,207,66,117,495,66,66,1506,1506,66,1506,181,66,66,500,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
-01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025552151,"flow_dst_last_pkt_time":1620898025552116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1558,"flow_dst_tot_l4_payload_len":13367,"midstream":0,"thread_ts_usec":1620898025552151,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":21602.4,"max":146010,"stddev":34561.6,"var":1194505728.0,"ent":3.5,"data": [30429,30474,1424,31291,132,29986,50740,8293,78244,9210,246,28671,116212,146010,494,137,30426,114,380,498,130,113,14,250,2,896,5501,36248,1496,132,31482,0]},"pktlen": {"min":66,"avg":533.0,"max":1506,"stddev":616.9,"var":380607.3,"ent":4.1,"data": [78,74,66,277,66,207,66,117,494,66,66,1413,66,497,66,1506,1506,66,1506,1506,66,1506,1506,425,66,66,66,503,66,1506,1506,66]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216866,"flow_src_last_pkt_time":1620898025482937,"flow_dst_last_pkt_time":1620898025510399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1135,"flow_dst_tot_l4_payload_len":16958,"midstream":0,"thread_ts_usec":1620898025510399,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55267,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18051.7,"max":118862,"stddev":28694.5,"var":823374080.0,"ent":3.5,"data": [29610,29665,2362,30524,2,28159,51917,8877,77853,8496,625,1248,27408,129,120,247,131,125,259,123,123,248,503,122,637,24023,24010,84464,7818,118862,914]},"pktlen": {"min":66,"avg":632.0,"max":1506,"stddev":660.5,"var":436248.1,"ent":4.2,"data": [78,74,66,277,66,207,66,117,508,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1043,66,66,497,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216193,"flow_src_last_pkt_time":1620898025515519,"flow_dst_last_pkt_time":1620898025515861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1102,"flow_dst_tot_l4_payload_len":16480,"midstream":0,"thread_ts_usec":1620898025515861,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19322.4,"max":140358,"stddev":32968.3,"var":1086907520.0,"ent":3.4,"data": [30407,30442,2425,30749,1690,30065,50340,8582,78328,9234,5001,125,33713,130,749,881,125,129,16,259,3,103964,6593,140358,1494,509,31816,122,126,243,376]},"pktlen": {"min":66,"avg":616.1,"max":1506,"stddev":656.6,"var":431150.1,"ent":4.1,"data": [78,74,66,277,66,207,66,117,472,66,66,1506,1506,66,1506,1506,66,1506,1506,565,66,66,66,500,66,1506,1506,66,1506,1506,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":260,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025519635,"flow_dst_last_pkt_time":1620898025519733,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16706,"midstream":0,"thread_ts_usec":1620898025519733,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":19559.5,"max":144002,"stddev":33697.1,"var":1135492736.0,"ent":3.4,"data": [31343,31380,1377,32375,996,31994,49530,8158,77501,8373,630,1247,30061,122,9,127,127,136,106790,7135,144002,5758,108,35937,131,121,250,128,122,249,129]},"pktlen": {"min":66,"avg":624.0,"max":1506,"stddev":657.1,"var":431734.9,"ent":4.2,"data": [78,74,66,277,66,207,66,117,503,66,66,1506,1506,66,1506,1506,66,791,66,66,497,66,1506,1506,66,1506,1506,66,1506,1506,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025521891,"flow_dst_last_pkt_time":1620898025521857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1125,"flow_dst_tot_l4_payload_len":16096,"midstream":0,"thread_ts_usec":1620898025521891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19628.1,"max":147007,"stddev":34082.4,"var":1161612032.0,"ent":3.3,"data": [33594,33644,1195,33573,9,32379,46938,8284,78165,6257,993,261,30448,865,3,877,105414,6486,147007,2135,111,37341,124,122,246,129,624,757,125,122,244]},"pktlen": {"min":66,"avg":604.8,"max":1506,"stddev":660.8,"var":436665.8,"ent":4.1,"data": [78,74,66,277,66,207,66,117,495,66,66,1506,1506,66,1506,181,66,66,500,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01832{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025552151,"flow_dst_last_pkt_time":1620898025552116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1558,"flow_dst_tot_l4_payload_len":13367,"midstream":0,"thread_ts_usec":1620898025552151,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":21602.4,"max":146010,"stddev":34561.6,"var":1194505728.0,"ent":3.5,"data": [30429,30474,1424,31291,132,29986,50740,8293,78244,9210,246,28671,116212,146010,494,137,30426,114,380,498,130,113,14,250,2,896,5501,36248,1496,132,31482]},"pktlen": {"min":66,"avg":533.0,"max":1506,"stddev":616.9,"var":380607.3,"ent":4.1,"data": [78,74,66,277,66,207,66,117,494,66,66,1413,66,497,66,1506,1506,66,1506,1506,66,1506,1506,425,66,66,66,503,66,1506,1506,66]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620898027036438,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027036438,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620898027036438,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027036438,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898027036438,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Etf1AbvGGXtuAAAAALAC\/\/+JoQAAAgQFtAEDAwUBAQgKMzDQVQAAAAAEAgAA"}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5393,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027065042,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620898027065042,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71\/XZbafoxhl7b6AS\/ogqVAAAAgQFrAQCCAo6VrYRMzDQVQEDAwc="}
@@ -67,10 +67,10 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6285272 bytes
-~~ total memory freed........: 6285272 bytes
+~~ total memory allocated....: 6285244 bytes
+~~ total memory freed........: 6285244 bytes
 ~~ total allocations/frees...: 127601/127601
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1841 chars
-~~ json string avg len.......: 1165 chars
+~~ json string max len.......: 1839 chars
+~~ json string avg len.......: 1164 chars
diff --git a/test/results/salesforce.pcap.out b/test/results/salesforce.pcap.out
index 1d9600cf0..45f702a83 100644
--- a/test/results/salesforce.pcap.out
+++ b/test/results/salesforce.pcap.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046559 bytes
-~~ total memory freed........: 6046559 bytes
+~~ total memory allocated....: 6046555 bytes
+~~ total memory freed........: 6046555 bytes
 ~~ total allocations/frees...: 121511/121511
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/sccp_hw_conf_register.pcapng.out b/test/results/sccp_hw_conf_register.pcapng.out
index ce6146f4b..e68d3407e 100644
--- a/test/results/sccp_hw_conf_register.pcapng.out
+++ b/test/results/sccp_hw_conf_register.pcapng.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036138 bytes
-~~ total memory freed........: 6036138 bytes
+~~ total memory allocated....: 6036134 bytes
+~~ total memory freed........: 6036134 bytes
 ~~ total allocations/frees...: 121504/121504
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 508 chars
diff --git a/test/results/sctp.cap.out b/test/results/sctp.cap.out
index f1ec85d4a..5a8b8ba46 100644
--- a/test/results/sctp.cap.out
+++ b/test/results/sctp.cap.out
@@ -19,8 +19,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037389 bytes
-~~ total memory freed........: 6037389 bytes
+~~ total memory allocated....: 6037381 bytes
+~~ total memory freed........: 6037381 bytes
 ~~ total allocations/frees...: 121501/121501
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/selfsigned.pcap.out b/test/results/selfsigned.pcap.out
index da03d863e..d9296bb90 100644
--- a/test/results/selfsigned.pcap.out
+++ b/test/results/selfsigned.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6048705 bytes
-~~ total memory freed........: 6048705 bytes
+~~ total memory allocated....: 6048701 bytes
+~~ total memory freed........: 6048701 bytes
 ~~ total allocations/frees...: 121516/121516
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/sflow.pcap.out b/test/results/sflow.pcap.out
index b96297491..6146a144a 100644
--- a/test/results/sflow.pcap.out
+++ b/test/results/sflow.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035906 bytes
-~~ total memory freed........: 6035906 bytes
+~~ total memory allocated....: 6035902 bytes
+~~ total memory freed........: 6035902 bytes
 ~~ total allocations/frees...: 121496/121496
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/signal.pcap.out b/test/results/signal.pcap.out
index c845f8ffe..4cab3e0cf 100644
--- a/test/results/signal.pcap.out
+++ b/test/results/signal.pcap.out
@@ -34,7 +34,7 @@
 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"signal.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051247603797,"flow_src_last_pkt_time":1569051247716407,"flow_dst_last_pkt_time":1569051247714648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051247716407,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57021,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1569051247716684,"flow_dst_last_pkt_time":1569051247714775,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569051247716684,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGZHzAqAIRIuHwrd68AbvGwW2ECR79gIAQBAtLWAAAAQEICihVUl9kFVbr"}
 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051247601573,"flow_src_last_pkt_time":1569051247716836,"flow_dst_last_pkt_time":1569051247714775,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051247716836,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"signal.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569051247599529,"flow_src_last_pkt_time":1569051247791544,"flow_dst_last_pkt_time":1569051247792234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":10648,"midstream":0,"thread_ts_usec":1569051247792234,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":12410.3,"max":52274,"stddev":19984.8,"var":399390400.0,"ent":3.2,"data": [44158,46025,121,45605,778,217,319,168,47796,18,50,46011,44670,7772,1684,58,381,118,52274,18,1127,18,42555,122,704,525,120,879,64,358,7,0]},"pktlen": {"min":66,"avg":427.3,"max":1506,"stddev":522.5,"var":272968.6,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,1506,66,66,66,673,66,146,112,109,101,207,337,337,66,136,66,66,66,66,97,1112,1112,1506,427]},"bins": {"c_to_s": [10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"signal.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569051247599529,"flow_src_last_pkt_time":1569051247791544,"flow_dst_last_pkt_time":1569051247792234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":10648,"midstream":0,"thread_ts_usec":1569051247792234,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":12410.3,"max":52274,"stddev":19984.8,"var":399390400.0,"ent":3.2,"data": [44158,46025,121,45605,778,217,319,168,47796,18,50,46011,44670,7772,1684,58,381,118,52274,18,1127,18,42555,122,704,525,120,879,64,358,7]},"pktlen": {"min":66,"avg":427.3,"max":1506,"stddev":522.5,"var":272968.6,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,1506,66,66,66,673,66,146,112,109,101,207,337,337,66,136,66,66,66,66,97,1112,1112,1506,427]},"bins": {"c_to_s": [10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}}
 01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051247594090,"flow_src_last_pkt_time":1569051247706645,"flow_dst_last_pkt_time":1569051247818667,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051247818667,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01630{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":60,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051247594090,"flow_src_last_pkt_time":1569051247706645,"flow_dst_last_pkt_time":1569051247818679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":2469,"midstream":0,"thread_ts_usec":1569051247818679,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}}
 01170{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"signal.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051247600467,"flow_src_last_pkt_time":1569051247711181,"flow_dst_last_pkt_time":1569051247822394,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051247822394,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
@@ -89,7 +89,7 @@
 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"signal.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264091926,"flow_src_last_pkt_time":1569051264259470,"flow_dst_last_pkt_time":1569051264203333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264259470,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57024,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1569051264259507,"flow_dst_last_pkt_time":1569051264203483,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569051264259507,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGUTrAqAIRI6kDKN7BAbuYIIuNFdnORoAQBAtBKQAAAQEICihVkvxkFUBN"}
 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":203,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264093006,"flow_src_last_pkt_time":1569051264259677,"flow_dst_last_pkt_time":1569051264203483,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264259677,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569051264078385,"flow_src_last_pkt_time":1569051264310199,"flow_dst_last_pkt_time":1569051264310869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":862,"flow_dst_tot_l4_payload_len":11255,"midstream":0,"thread_ts_usec":1569051264310869,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14977.4,"max":100663,"stddev":25001.2,"var":625062336.0,"ent":3.3,"data": [34916,37696,123,37363,772,231,309,173,37044,153,34846,100663,83343,17640,1078,2531,59,427,91,36023,34,31611,467,2412,13,489,2231,1076,233,244,7,0]},"pktlen": {"min":66,"avg":445.7,"max":1506,"stddev":520.4,"var":270842.4,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,1506,66,66,673,66,673,78,146,112,109,101,207,337,337,66,66,66,136,66,66,1112,1112,1506,427]},"bins": {"c_to_s": [9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}}
+01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569051264078385,"flow_src_last_pkt_time":1569051264310199,"flow_dst_last_pkt_time":1569051264310869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":862,"flow_dst_tot_l4_payload_len":11255,"midstream":0,"thread_ts_usec":1569051264310869,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14977.4,"max":100663,"stddev":25001.2,"var":625062336.0,"ent":3.3,"data": [34916,37696,123,37363,772,231,309,173,37044,153,34846,100663,83343,17640,1078,2531,59,427,91,36023,34,31611,467,2412,13,489,2231,1076,233,244,7]},"pktlen": {"min":66,"avg":445.7,"max":1506,"stddev":520.4,"var":270842.4,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,1506,66,66,673,66,673,78,146,112,109,101,207,337,337,66,66,66,136,66,66,1112,1112,1506,427]},"bins": {"c_to_s": [9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}}
 01240{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":228,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264073974,"flow_src_last_pkt_time":1569051264229464,"flow_dst_last_pkt_time":1569051264342899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264342899,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01629{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":229,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051264073974,"flow_src_last_pkt_time":1569051264229464,"flow_dst_last_pkt_time":1569051264343005,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":2469,"midstream":0,"thread_ts_usec":1569051264343005,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}}
 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":233,"source":"signal.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264090815,"flow_src_last_pkt_time":1569051264259325,"flow_dst_last_pkt_time":1569051264369936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264369936,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57023,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
@@ -105,7 +105,7 @@
 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":321,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264775024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264776825,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":323,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264887563,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264887563,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01558{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":324,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264887591,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2478,"midstream":0,"thread_ts_usec":1569051264887591,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}}
-01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":350,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051265118031,"flow_dst_last_pkt_time":1569051265227415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":12293,"flow_dst_tot_l4_payload_len":2636,"midstream":0,"thread_ts_usec":1569051265227415,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32686.5,"max":114919,"stddev":49905.0,"var":2490513152.0,"ent":3.3,"data": [108942,110621,122,110401,2138,28,112445,4951,114919,23,109553,1892,17,11,122,779,118,231,116,111402,211,108448,1776,614,1715,181,200,291,136,109394,1485,0]},"pktlen": {"min":66,"avg":533.2,"max":1506,"stddev":606.2,"var":367455.8,"ent":4.1,"data": [78,74,66,583,66,1506,1104,66,192,117,135,66,119,116,108,312,1506,1506,1506,378,66,104,848,66,66,1506,1506,1506,1506,151,66,66]},"bins": {"c_to_s": [4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":350,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051265118031,"flow_dst_last_pkt_time":1569051265227415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":12293,"flow_dst_tot_l4_payload_len":2636,"midstream":0,"thread_ts_usec":1569051265227415,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32686.5,"max":114919,"stddev":49905.0,"var":2490513152.0,"ent":3.3,"data": [108942,110621,122,110401,2138,28,112445,4951,114919,23,109553,1892,17,11,122,779,118,231,116,111402,211,108448,1776,614,1715,181,200,291,136,109394,1485]},"pktlen": {"min":66,"avg":533.2,"max":1506,"stddev":606.2,"var":367455.8,"ent":4.1,"data": [78,74,66,583,66,1506,1104,66,192,117,135,66,119,116,108,312,1506,1506,1506,378,66,104,848,66,66,1506,1506,1506,1506,151,66,66]},"bins": {"c_to_s": [4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051266396342,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051266396342,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1569051266396342,"pkt":"xGGLNYKpxiwDYGpkCABFAABMyV0AADQGy0wXORgQwKgCEQG73rjhiC89LB07wYAYAQKY+AAAAQEICpZOcwIoVP9fFwMDABNN53WS+HQ+OdIkNGbGHI++PaTs"}
 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051266396342,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051266396342,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -118,7 +118,7 @@
 01087{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":376,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267154562,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267161538,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":378,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197332,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051267197332,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01471{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":379,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2383,"midstream":0,"thread_ts_usec":1569051267197345,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}}
-01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":11950.2,"max":43365,"stddev":16041.8,"var":257340416.0,"ent":3.7,"data": [32885,39763,98,40023,2747,13,39382,7752,43365,416,22,34673,57,7463,493,19,81,373,5900,119,379,42152,16,471,26781,7559,10672,123,259,280,26119,0]},"pktlen": {"min":66,"avg":512.2,"max":1506,"stddev":608.0,"var":369644.2,"ent":4.1,"data": [78,74,66,583,66,1506,1009,66,192,66,117,135,66,66,119,116,108,257,104,1506,1506,1506,66,104,66,685,66,1506,1506,1506,1506,66]},"bins": {"c_to_s": [5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1]}}
+01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":11950.2,"max":43365,"stddev":16041.8,"var":257340416.0,"ent":3.7,"data": [32885,39763,98,40023,2747,13,39382,7752,43365,416,22,34673,57,7463,493,19,81,373,5900,119,379,42152,16,471,26781,7559,10672,123,259,280,26119]},"pktlen": {"min":66,"avg":512.2,"max":1506,"stddev":608.0,"var":369644.2,"ent":4.1,"data": [78,74,66,583,66,1506,1009,66,192,66,117,135,66,66,119,116,108,257,104,1506,1506,1506,66,104,66,685,66,1506,1506,1506,1506,66]},"bins": {"c_to_s": [5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1]}}
 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}}
 00897{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1569051245838268,"flow_src_last_pkt_time":1569051261595218,"flow_dst_last_pkt_time":1569051245838268,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00898{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1569051255515841,"flow_src_last_pkt_time":1569051255541412,"flow_dst_last_pkt_time":1569051255539776,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -148,10 +148,10 @@
 ~~ total active/idle flows...: 19/19
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6314412 bytes
-~~ total memory freed........: 6314412 bytes
+~~ total memory allocated....: 6314336 bytes
+~~ total memory freed........: 6314336 bytes
 ~~ total allocations/frees...: 122426/122426
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1719 chars
-~~ json string avg len.......: 1104 chars
+~~ json string max len.......: 1717 chars
+~~ json string avg len.......: 1103 chars
diff --git a/test/results/simple-dnscrypt.pcap.out b/test/results/simple-dnscrypt.pcap.out
index d7775d04c..234835cd5 100644
--- a/test/results/simple-dnscrypt.pcap.out
+++ b/test/results/simple-dnscrypt.pcap.out
@@ -7,7 +7,7 @@
 01047{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284666208,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813284694670,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284804255,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813284804255,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01465{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":7,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284809547,"flow_dst_last_pkt_time":1491813284819906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813284819906,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}}
-01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43169.3,"max":221977,"stddev":52652.2,"var":2772254720.0,"ent":3.9,"data": [110617,111151,27928,119560,18487,5167,114877,3012,7467,5,1,10608,4894,14894,118,54,378,91813,2,71462,3132,28841,26832,76361,36004,32630,95192,61613,221977,1,0,0]},"pktlen": {"min":54,"avg":397.4,"max":1364,"stddev":516.9,"var":267229.7,"ent":4.0,"data": [66,66,54,260,54,1364,1364,54,1364,1364,1364,360,54,180,107,110,96,272,312,123,54,92,54,92,54,54,54,415,54,119,1364,1324]},"bins": {"c_to_s": [7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1]}}
+01576{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43169.3,"max":221977,"stddev":52652.2,"var":2772254720.0,"ent":3.9,"data": [110617,111151,27928,119560,18487,5167,114877,3012,7467,5,1,10608,4894,14894,118,54,378,91813,2,71462,3132,28841,26832,76361,36004,32630,95192,61613,221977,1]},"pktlen": {"min":54,"avg":397.4,"max":1364,"stddev":516.9,"var":267229.7,"ent":4.0,"data": [66,66,54,260,54,1364,1364,54,1364,1364,1364,360,54,180,107,110,96,272,312,123,54,92,54,92,54,54,54,415,54,119,1364,1324]},"bins": {"c_to_s": [7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1]}}
 01468{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813286275625,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491813286275625,"pkt":"uFpz9d6dpDTZFrEGCABFAAA0PSdAAIAGML7AqCunhncaGMRNAbtYb9jbAAAAAIACIADK3QAAAgQFtAEDAwgBAQQC"}
@@ -30,7 +30,7 @@
 01473{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286592939,"flow_dst_last_pkt_time":1491813286594033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286594033,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}}
 01134{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":81,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286491438,"flow_dst_last_pkt_time":1491813286609961,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813286609961,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01473{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":87,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286612199,"flow_dst_last_pkt_time":1491813286612925,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286612925,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}}
-01564{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26187.7,"max":105611,"stddev":36205.4,"var":1310829056.0,"ent":3.6,"data": [76904,76992,229,75549,27738,2534,105611,594,1,590,1297,3,1553,3254,3682,128,52,3057,79,49,84732,1,74133,4254,9610,25085,23405,82024,4138,98354,0,0]},"pktlen": {"min":54,"avg":333.1,"max":1364,"stddev":456.8,"var":208637.0,"ent":4.0,"data": [66,66,54,264,54,1364,1364,54,1364,1364,54,1364,360,54,180,107,110,96,334,133,132,312,123,54,54,92,54,92,54,416,415,54]},"bins": {"c_to_s": [7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0]}}
+01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26187.7,"max":105611,"stddev":36205.4,"var":1310829056.0,"ent":3.6,"data": [76904,76992,229,75549,27738,2534,105611,594,1,590,1297,3,1553,3254,3682,128,52,3057,79,49,84732,1,74133,4254,9610,25085,23405,82024,4138,98354]},"pktlen": {"min":54,"avg":333.1,"max":1364,"stddev":456.8,"var":208637.0,"ent":4.0,"data": [66,66,54,264,54,1364,1364,54,1364,1364,54,1364,360,54,180,107,110,96,334,133,132,312,123,54,54,92,54,92,54,416,415,54]},"bins": {"c_to_s": [7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0]}}
 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}}
 00928{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":21,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285262104,"flow_dst_last_pkt_time":1491813285262021,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":13434,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}}
 00776{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":10,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286718876,"flow_dst_last_pkt_time":1491813286718848,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":7183,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -45,10 +45,10 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6141412 bytes
-~~ total memory freed........: 6141412 bytes
+~~ total memory allocated....: 6141396 bytes
+~~ total memory freed........: 6141396 bytes
 ~~ total allocations/frees...: 121674/121674
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
-~~ json string max len.......: 1585 chars
-~~ json string avg len.......: 1041 chars
+~~ json string max len.......: 1581 chars
+~~ json string avg len.......: 1039 chars
diff --git a/test/results/sip.pcap.out b/test/results/sip.pcap.out
index e151fe3a0..f58edd53a 100644
--- a/test/results/sip.pcap.out
+++ b/test/results/sip.pcap.out
@@ -22,7 +22,7 @@
 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":44,"source":"sip.pcap","alias":"nDPId-test","packets-captured":44,"packets-processed":43,"total-skipped-flows":0,"total-l4-payload-len":17733,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":9,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":22,"global_ts_usec":1120470187658020}
 00903{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":46,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":10,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470216689496,"flow_dst_last_pkt_time":1120469956406918,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":491,"flow_src_tot_l4_payload_len":4633,"flow_dst_tot_l4_payload_len":4354,"midstream":0,"thread_ts_usec":1120470216689496,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":46,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470216689496,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01830{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":50,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470235521078,"flow_dst_last_pkt_time":1120470235448732,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":825,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":7448,"flow_dst_tot_l4_payload_len":4947,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":42751008.0,"max":279041814,"stddev":57873684.0,"var":3349363405357056.0,"ent":4.0,"data": [136757,17415627,17424961,49834,89928591,89874891,17280679,17290428,150200040,150188219,17325180,17335822,73916043,73902652,17325038,17333170,25935,17724998,29031776,29092737,34118166,34119076,29272359,29031830,29031631,29031476,17104967,497671,1001842,279041814,227102,0]},"pktlen": {"min":47,"avg":429.3,"max":867,"stddev":273.0,"var":74531.7,"ent":4.6,"data": [509,528,722,348,388,509,528,722,533,509,528,722,533,509,528,722,348,512,47,47,47,47,47,47,47,47,47,867,867,867,635,382]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01828{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":50,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470235521078,"flow_dst_last_pkt_time":1120470235448732,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":825,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":7448,"flow_dst_tot_l4_payload_len":4947,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":42751008.0,"max":279041814,"stddev":57873684.0,"var":3349363405357056.0,"ent":4.0,"data": [136757,17415627,17424961,49834,89928591,89874891,17280679,17290428,150200040,150188219,17325180,17335822,73916043,73902652,17325038,17333170,25935,17724998,29031776,29092737,34118166,34119076,29272359,29031830,29031631,29031476,17104967,497671,1001842,279041814,227102]},"pktlen": {"min":47,"avg":429.3,"max":867,"stddev":273.0,"var":74531.7,"ent":4.6,"data": [509,528,722,348,388,509,528,722,533,509,528,722,533,509,528,722,348,512,47,47,47,47,47,47,47,47,47,867,867,867,635,382]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":12,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470268180956,"flow_dst_last_pkt_time":1120470268128176,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1076,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":8864,"flow_dst_tot_l4_payload_len":5392,"midstream":0,"thread_ts_usec":1120470268180956,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470268180956,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00902{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":57,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470315341351,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -59,10 +59,10 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043777 bytes
-~~ total memory freed........: 6043777 bytes
+~~ total memory allocated....: 6043761 bytes
+~~ total memory freed........: 6043761 bytes
 ~~ total allocations/frees...: 121629/121629
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1835 chars
-~~ json string avg len.......: 1160 chars
+~~ json string max len.......: 1833 chars
+~~ json string avg len.......: 1159 chars
diff --git a/test/results/sip_hello.pcapng.out b/test/results/sip_hello.pcapng.out
index cb1ec6a90..f3eeffc69 100644
--- a/test/results/sip_hello.pcapng.out
+++ b/test/results/sip_hello.pcapng.out
@@ -24,8 +24,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036515 bytes
-~~ total memory freed........: 6036515 bytes
+~~ total memory allocated....: 6036511 bytes
+~~ total memory freed........: 6036511 bytes
 ~~ total allocations/frees...: 121517/121517
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
diff --git a/test/results/sites.pcapng.out b/test/results/sites.pcapng.out
index ed25c5857..3b2470acb 100644
--- a/test/results/sites.pcapng.out
+++ b/test/results/sites.pcapng.out
@@ -30,7 +30,7 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1623223596002274,"flow_dst_last_pkt_time":1623223595999034,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623223596002274,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0ZBlAAEAGCezAqAGAW8au0MW8AbvaIBcIazbbIYAQAfbJTQAAAQEICrzqTwcXn7ww"}
 01099{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":70,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223595999034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623223596004515,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.2","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 01144{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":72,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223596052201,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1623223596052201,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
-01532{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":19621.6,"max":52937,"stddev":23899.2,"var":571172992.0,"ent":2.8,"data": [46836,50076,2241,52937,230,52220,1478,638,2420,52443,779,3077,237,199,47900,235,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":66,"avg":613.8,"max":1514,"stddev":646.4,"var":417856.7,"ent":4.2,"data": [74,74,66,583,66,1514,1514,1266,166,66,66,66,66,146,236,304,369,109,97,1514,1514,1514,1514,1514,1514,1514,1514,388,66,66,66,97]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0]}}
+01500{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":19621.6,"max":52937,"stddev":23899.2,"var":571172992.0,"ent":2.8,"data": [46836,50076,2241,52937,230,52220,1478,638,2420,52443,779,3077,237,199,47900,235]},"pktlen": {"min":66,"avg":613.8,"max":1514,"stddev":646.4,"var":417856.7,"ent":4.2,"data": [74,74,66,583,66,1514,1514,1266,166,66,66,66,66,146,236,304,369,109,97,1514,1514,1514,1514,1514,1514,1514,1514,388,66,66,66,97]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0]}}
 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}}
 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":107,"source":"sites.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":17,"flow_first_seen":1623222051753416,"flow_src_last_pkt_time":1623222112086485,"flow_dst_last_pkt_time":1623222112185361,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2226,"flow_dst_tot_l4_payload_len":6554,"midstream":0,"thread_ts_usec":1623223596203292,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"52.73.71.226","src_port":50071,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":119,"source":"sites.pcapng","alias":"nDPId-test","packets-captured":119,"packets-processed":118,"total-skipped-flows":0,"total-l4-payload-len":35609,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":4,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1623226283573712}
@@ -39,7 +39,7 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1623226283573712,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623226283601626,"pkt":"AoEfHBPlpJGxgjQ5CABFAAA0AABAADMGZpwtUvEzwKgB+gBQm9LNImc9F4Arv4ASchAIQAAAAgQFeAEBBAIBAwMK"}
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1623226283602794,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1623226283602794,"pkt":"pJGxgjQ5AoEfHBPlCABFAAAoM5VAAEAGJhPAqAH6LVLxM5vSAFAXgCu\/zSJnPlAQAKy6PQAAAAAAAAAA"}
 01048{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":122,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226283612303,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":190,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226283612303,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"videosnap.like.video","http": {"url":"videosnap.like.video\/eu_live\/5uz\/1YOmxT.webp?type=8&resize=1&dw=360","code":0,"content_type":"","user_agent":"Like-Android"}}}
-01689{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":249,"avg":138004.6,"max":1031142,"stddev":327437.1,"var":107215077376.0,"ent":1.6,"data": [27914,29082,9509,39180,2950,249,59912,307,304,974261,1031142,29550,491,2002,490,730,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":659.1,"max":1514,"stddev":701.2,"var":491744.0,"ent":4.1,"data": [74,66,60,244,60,1514,1514,1514,1514,1514,1514,1396,60,60,60,60,60,60,60,244,1514,1514,1514,1514,60,60,1514,1514,60,60,60,60]},"bins": {"c_to_s": [15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01657{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":249,"avg":138004.6,"max":1031142,"stddev":327437.1,"var":107215077376.0,"ent":1.6,"data": [27914,29082,9509,39180,2950,249,59912,307,304,974261,1031142,29550,491,2002,490,730]},"pktlen": {"min":60,"avg":659.1,"max":1514,"stddev":701.2,"var":491744.0,"ent":4.1,"data": [74,66,60,244,60,1514,1514,1514,1514,1514,1514,1396,60,60,60,60,60,60,60,244,1514,1514,1514,1514,60,60,1514,1514,60,60,60,60]},"bins": {"c_to_s": [15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":229,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":24,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223766553269,"flow_dst_last_pkt_time":1623223766548680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1177,"flow_dst_tot_l4_payload_len":16557,"midstream":0,"thread_ts_usec":1623226286427901,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":231,"source":"sites.pcapng","alias":"nDPId-test","packets-captured":231,"packets-processed":230,"total-skipped-flows":0,"total-l4-payload-len":108050,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":44,"global_ts_usec":1631088115362469}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":231,"source":"sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088115362469,"flow_dst_last_pkt_time":1631088115362469,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631088115362469,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -348,8 +348,8 @@
 ~~ total active/idle flows...: 47/47
 ~~ total timeout flows.......: 4
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6622762 bytes
-~~ total memory freed........: 6622762 bytes
+~~ total memory allocated....: 6622574 bytes
+~~ total memory freed........: 6622574 bytes
 ~~ total allocations/frees...: 122993/122993
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/skinny.pcap.out b/test/results/skinny.pcap.out
index 80389a47c..10a2efde1 100644
--- a/test/results/skinny.pcap.out
+++ b/test/results/skinny.pcap.out
@@ -10,7 +10,7 @@
 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801130506133,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801130506133,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1317801130506148,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1317801130506148,"pkt":"AB1FDGVjABTy5fxCCABFYABE5ZNAAD8GUDDAqMEMwKjDMgfQyUyJcg5JId4l61AYLGoX3AAAFAAAABQAAAAQAQAAAQAAAEs2LgEDAAAA\/\/\/\/\/w=="}
 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1317801130506205,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1317801130506205,"pkt":"AB1FDGVjABTy5fxCCABFYABI5ZVAAD8GUCrAqMEMwKjDMgfQyUyJcg5lId4l61AYLGr9cQAAGAAAABQAAABFAQAAAAAAAAEAAABLNi4BgBczMjEAAAA="}
-01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":60,"source":"skinny.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1317801130501299,"flow_src_last_pkt_time":1317801134312976,"flow_dst_last_pkt_time":1317801134286303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":52,"flow_dst_max_l4_payload_len":324,"flow_src_tot_l4_payload_len":248,"flow_dst_tot_l4_payload_len":1620,"midstream":1,"thread_ts_usec":1317801134312976,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.12","src_port":49399,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":245054.2,"max":3609828,"stddev":877176.1,"var":769437794304.0,"ent":1.5,"data": [2211,18,14,5962,3780,258,15,49,20014,19685,10391,48806,3559643,16,82,3609828,11683,20052,16478,36490,7020,23440,32822,19981,11660,17,20000,11522,27273,50735,26736,0]},"pktlen": {"min":60,"avg":114.2,"max":378,"stddev":74.3,"var":5521.7,"ent":4.8,"data": [78,82,70,78,60,378,82,90,82,60,214,74,60,78,194,90,60,266,60,102,60,198,60,198,60,198,186,60,106,106,60,106]},"bins": {"c_to_s": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":60,"source":"skinny.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1317801130501299,"flow_src_last_pkt_time":1317801134312976,"flow_dst_last_pkt_time":1317801134286303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":52,"flow_dst_max_l4_payload_len":324,"flow_src_tot_l4_payload_len":248,"flow_dst_tot_l4_payload_len":1620,"midstream":1,"thread_ts_usec":1317801134312976,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.12","src_port":49399,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":245054.2,"max":3609828,"stddev":877176.1,"var":769437794304.0,"ent":1.5,"data": [2211,18,14,5962,3780,258,15,49,20014,19685,10391,48806,3559643,16,82,3609828,11683,20052,16478,36490,7020,23440,32822,19981,11660,17,20000,11522,27273,50735,26736]},"pktlen": {"min":60,"avg":114.2,"max":378,"stddev":74.3,"var":5521.7,"ent":4.8,"data": [78,82,70,78,60,378,82,90,82,60,214,74,60,78,194,90,60,266,60,102,60,198,60,198,60,198,186,60,106,106,60,106]},"bins": {"c_to_s": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134322539,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134322539,"pkt":"ABTy5fxCAB56JnR1CABFuADIE4MAAEARYEbAqMM6wKjBGH2WJLMAtK8pgIAFmwAC4MD2v1fi\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/39+\/v18ffz+\/f9+\/n17eXh6e357fv1+\/v59\/fx9fX16e379+vv7+359fnv\/\/X3+\/35\/e3v+\/H7\/fnv+fXz9\/v7+fX18fHx7fHt+f3\/\/fv3+f\/7+\/v79\/\/5\/eXt8fX9+f\/\/\/\/39+f3x5e3x6eX1+fv5+f\/78\/P78\/nz+fn5+fA=="}
 00863{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134322539,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
@@ -36,16 +36,16 @@
 00745{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1317801134389369,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134389369,"pkt":"ABTy5fxCAB56JnR1CABFuADIE40AAEARYDzAqMM6wKjBGH2YJLQAtJABgAAFlgAFiLgeBjsifHt9f319fPv+\/v54f\/7\/e3l9e\/79f3p7fn18e316ff5+\/X58fv1\/\/v9+f3p+f31\/fv3+f31+\/np6fnx8fnz9\/P\/8fv37ff3\/fH7+\/3v\/f318f\/t8fP19fH19\/fl\/ev39+fx9d3Fw+NlhW8pMTLpRPsLeSefcWnbk8lz61FL72VV96Wtf6+1j6G777m\/scn\/3eX7+cXDubGz2fnF77nN2\/A=="}
 00749{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1317801134403859,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134403859,"pkt":"ABTy5fxCAB1FDGVjCABFuADIE+4AAEARX+PAqMMywKjBGEVEJLgAtCDKgAAGQAAC40B8EHHz+vv9\/f7+\/nx6eXh7ff\/9\/fb4+vj5+f5+fHh8eHd5en5++\/39\/Xt\/enl7eH54efr+\/Pp9f3p5fHV4enp\/\/Pj59vn+9vb8fHl6d3t5ev5\/\/P768\/n5+f7+fHV1dnR6fXd8\/31\/eHr+eX39d3n4\/f73+Pz8\/3t7e3p2dn59fPv5+\/v4\/X\/8fH18e39+fv78\/fv59\/b7\/nx7fXh3d3p\/fHt9fg=="}
 00752{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1317801134423839,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134423839,"pkt":"ABTy5fxCAB1FDGVjCABFuADIE\/EAAEARX+DAqMMywKjBGEVEJLgAtBwlgAAGQQAC4+B8EHHzfn78fXn\/eXV9d3b9\/338+\/f7fH59e3p2eX3++\/309fz6e3l6c3h3dnt3fff49\/Pz9vf2+Pv9fX19fX1+\/f1\/e3l5d3d1dHh6fHp6fv7++\/r3+H59fHx9e3l9+\/99\/P37+X57e3l8e3p\/f379\/fv7+\/r8\/v\/8\/n7\/\/\/39fXx6dnd5ev9+eXx6eH16fPx\/\/Pj5+fv7\/H15d3l7fH7\/\/f39\/A=="}
-01688{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":125,"source":"skinny.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801134322976,"flow_src_last_pkt_time":1317801134482957,"flow_dst_last_pkt_time":1317801134468575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3096,"flow_dst_tot_l4_payload_len":2408,"midstream":0,"thread_ts_usec":1317801134482957,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.195.50","src_port":32144,"dst_port":17718,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":9857.4,"max":25564,"stddev":10215.5,"var":104355640.0,"ent":3.9,"data": [25,19949,10,25564,11,20009,15,19949,15,19947,7,19983,8,20009,7,20042,7,20010,7,19977,4,19971,13,19997,11,20024,12,20020,11,19956,10,0]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
-01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":307,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134942562,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134942562,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19901,"avg":20000.7,"max":20073,"stddev":35.0,"var":1222.2,"ent":5.0,"data": [20010,20035,19901,20015,19977,20040,20015,20006,19996,20018,19974,20009,19997,20001,20001,19982,20073,20009,20000,19999,20061,19944,19990,19953,20026,19940,20010,20055,20010,19978,19998,0]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
-01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":319,"source":"skinny.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134348136,"flow_src_last_pkt_time":1317801134968092,"flow_dst_last_pkt_time":1317801134348136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134968092,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17726,"dst_port":9399,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19962,"avg":19998.6,"max":20095,"stddev":27.6,"var":759.7,"ent":5.0,"data": [19962,19969,20095,19966,20007,20019,20010,19970,19996,20019,19982,19965,20001,20006,19994,20032,19986,19999,19985,19996,20021,19995,20005,19995,19975,19984,19971,20037,20033,19973,20008,0]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
-01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134349579,"flow_src_last_pkt_time":1317801134969420,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134969420,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32152,"dst_port":9396,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19475,"avg":19994.9,"max":20520,"stddev":142.6,"var":20347.9,"ent":5.0,"data": [19831,19959,20146,19907,20018,20014,20011,20005,20001,20003,20045,19895,20035,19968,20008,20010,19972,20003,20520,19475,20014,19970,20034,19981,19987,19986,19966,20048,20036,19972,20021,0]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
-01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":334,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134383882,"flow_src_last_pkt_time":1317801135003916,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801135003916,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17732,"dst_port":9400,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19941,"avg":20001.1,"max":20100,"stddev":38.1,"var":1453.4,"ent":5.0,"data": [19977,19980,20100,19974,19997,19973,19984,19994,20002,20000,19996,19991,19980,20100,20004,19971,19986,20073,19948,19997,19947,20007,19941,20015,20065,19981,19993,20024,20019,20002,20013,0]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01686{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":125,"source":"skinny.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801134322976,"flow_src_last_pkt_time":1317801134482957,"flow_dst_last_pkt_time":1317801134468575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3096,"flow_dst_tot_l4_payload_len":2408,"midstream":0,"thread_ts_usec":1317801134482957,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.195.50","src_port":32144,"dst_port":17718,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":9857.4,"max":25564,"stddev":10215.5,"var":104355640.0,"ent":3.9,"data": [25,19949,10,25564,11,20009,15,19949,15,19947,7,19983,8,20009,7,20042,7,20010,7,19977,4,19971,13,19997,11,20024,12,20020,11,19956,10]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":307,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134942562,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134942562,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19901,"avg":20000.7,"max":20073,"stddev":35.0,"var":1222.2,"ent":5.0,"data": [20010,20035,19901,20015,19977,20040,20015,20006,19996,20018,19974,20009,19997,20001,20001,19982,20073,20009,20000,19999,20061,19944,19990,19953,20026,19940,20010,20055,20010,19978,19998]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":319,"source":"skinny.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134348136,"flow_src_last_pkt_time":1317801134968092,"flow_dst_last_pkt_time":1317801134348136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134968092,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17726,"dst_port":9399,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19962,"avg":19998.6,"max":20095,"stddev":27.6,"var":759.7,"ent":5.0,"data": [19962,19969,20095,19966,20007,20019,20010,19970,19996,20019,19982,19965,20001,20006,19994,20032,19986,19999,19985,19996,20021,19995,20005,19995,19975,19984,19971,20037,20033,19973,20008]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134349579,"flow_src_last_pkt_time":1317801134969420,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134969420,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32152,"dst_port":9396,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19475,"avg":19994.9,"max":20520,"stddev":142.6,"var":20347.9,"ent":5.0,"data": [19831,19959,20146,19907,20018,20014,20011,20005,20001,20003,20045,19895,20035,19968,20008,20010,19972,20003,20520,19475,20014,19970,20034,19981,19987,19986,19966,20048,20036,19972,20021]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
+01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":334,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134383882,"flow_src_last_pkt_time":1317801135003916,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801135003916,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17732,"dst_port":9400,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19941,"avg":20001.1,"max":20100,"stddev":38.1,"var":1453.4,"ent":5.0,"data": [19977,19980,20100,19974,19997,19973,19984,19994,20002,20000,19996,19991,19980,20100,20004,19971,19986,20073,19948,19997,19947,20007,19941,20015,20065,19981,19993,20024,20019,20002,20013]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801140764515,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801140764515,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"10.16.2.25","src_port":50917,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1317801140764515,"pkt":"ABTy5fxCAB56JnR1CABFYAA0F0wAAEAG0wzAqMM6ChACGcblB9CCZg4uo3beQVAYIAAasgAABAAAAAAAAAAAAAAA"}
 00868{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801140764515,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801140764515,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"10.16.2.25","src_port":50917,"dst_port":2000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2664,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140821803,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1317801140821803,"pkt":"AB56JnR1ABTy5fxCCABFYAAod8dAADwGNp0KEAIZwKjDOgfQxuWjdt5BgmYOOlAQFtAn6gAAAAAAAAAA"}
-01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2918,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801141425306,"flow_dst_last_pkt_time":1317801141427620,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":492,"flow_dst_max_l4_payload_len":52,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":244,"midstream":1,"thread_ts_usec":1317801141427620,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":704537.4,"max":7045910,"stddev":1877203.8,"var":3523893788672.0,"ent":2.2,"data": [15,57,704,686,19914,3582983,19282,3622236,2065,19,22,17967,15924,20052,36329,2146,19966,30884,40036,6899,19067,13061,64116,28324,103909,42273,80357,6999604,16,5837,7045910,0]},"pktlen": {"min":60,"avg":110.9,"max":546,"stddev":93.8,"var":8793.0,"ent":4.7,"data": [90,82,86,60,266,60,74,74,60,82,70,78,60,546,60,198,198,60,198,60,102,186,60,106,106,60,106,60,82,82,78,60]},"bins": {"c_to_s": [10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2918,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801141425306,"flow_dst_last_pkt_time":1317801141427620,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":492,"flow_dst_max_l4_payload_len":52,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":244,"midstream":1,"thread_ts_usec":1317801141427620,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":704537.4,"max":7045910,"stddev":1877203.8,"var":3523893788672.0,"ent":2.2,"data": [15,57,704,686,19914,3582983,19282,3622236,2065,19,22,17967,15924,20052,36329,2146,19966,30884,40036,6899,19067,13061,64116,28324,103909,42273,80357,6999604,16,5837,7045910]},"pktlen": {"min":60,"avg":110.9,"max":546,"stddev":93.8,"var":8793.0,"ent":4.7,"data": [90,82,86,60,266,60,74,74,60,82,70,78,60,546,60,198,198,60,198,60,102,186,60,106,106,60,106,60,82,82,78,60]},"bins": {"c_to_s": [10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00728{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801141463821,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801141463821,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.195.58","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3}
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1317801141463821,"pkt":"AB56JnR1AB1FDGVjCABFAAA4GBEAAEABWvbAqMMywKjDOgMDmwIAAAAARbgAyBe5AABAEVn2wKjDOsCowzJ9kEU2ALSefw=="}
 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801141463821,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801141463821,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.195.58","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.235927}}
@@ -68,10 +68,10 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6134712 bytes
-~~ total memory freed........: 6134712 bytes
+~~ total memory allocated....: 6134676 bytes
+~~ total memory freed........: 6134676 bytes
 ~~ total allocations/frees...: 124534/124534
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1738 chars
-~~ json string avg len.......: 1113 chars
+~~ json string max len.......: 1736 chars
+~~ json string avg len.......: 1112 chars
diff --git a/test/results/skype-conference-call.pcap.out b/test/results/skype-conference-call.pcap.out
index 8565275ad..8fa8cbf0e 100644
--- a/test/results/skype-conference-call.pcap.out
+++ b/test/results/skype-conference-call.pcap.out
@@ -5,7 +5,7 @@
 01111{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916646303,"flow_dst_last_pkt_time":1501061916646303,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":104,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":104,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1501061916646303,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":1,"num_binding_requests":1,"num_processed_pkts":0}}}
 00649{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1501061916646303,"flow_dst_last_pkt_time":1501061916653642,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1501061916653642,"pkt":"xCwDBkn+XEl5dU5qCABFAACERTYAAG4RtBdoLigxwKgCFOziwIIAcHm6AAEAVCESpEI8yF2moGJ4zvU2wuEABgAJeld5azpncHBlAAAAACQABG7\/\/v+AKQAIAAAAAAACl5OAVAABMQAAAIBwAAQAAAADAAgAFHnv8xovieyQrsQ6j2MMyqg8GNj1gCgABORvfhY="}
 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1501061916690803,"flow_dst_last_pkt_time":1501061916653642,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":114,"pkt_l4_len":80,"thread_ts_usec":1501061916690803,"pkt":"XEl5dU5qxCwDBkn+CABFAABkjWYAAEARmgfAqAIUaC4oMcCC7OIAUFnEAQEANCESpEI8yF2moGJ4zvU2wuEAIAAIAAHN8Ek8jHOAcAAEAAAAAwAIABSgsacIkgIOfzKEQbuerkeFTLj204AoAASK\/70B"}
-01863{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916821040,"flow_dst_last_pkt_time":1501061916812989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":167,"flow_src_tot_l4_payload_len":6417,"flow_dst_tot_l4_payload_len":1824,"midstream":0,"thread_ts_usec":1501061916821040,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":59,"avg":11013.6,"max":100094,"stddev":22446.4,"var":503839616.0,"ent":3.0,"data": [7339,44500,54477,177,54879,336,10342,20091,24441,100094,319,61,211,59,179,235,59,177,199,208,82,2810,14708,381,241,219,267,215,202,197,3718,0]},"pktlen": {"min":77,"avg":299.5,"max":957,"stddev":317.0,"var":100457.8,"ent":4.4,"data": [146,146,114,114,146,114,150,152,145,137,209,77,169,169,169,169,169,169,169,169,169,169,114,85,957,957,957,957,957,957,169,135]},"bins": {"c_to_s": [0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01861{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916821040,"flow_dst_last_pkt_time":1501061916812989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":167,"flow_src_tot_l4_payload_len":6417,"flow_dst_tot_l4_payload_len":1824,"midstream":0,"thread_ts_usec":1501061916821040,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":59,"avg":11013.6,"max":100094,"stddev":22446.4,"var":503839616.0,"ent":3.0,"data": [7339,44500,54477,177,54879,336,10342,20091,24441,100094,319,61,211,59,179,235,59,177,199,208,82,2810,14708,381,241,219,267,215,202,197,3718]},"pktlen": {"min":77,"avg":299.5,"max":957,"stddev":317.0,"var":100457.8,"ent":4.4,"data": [146,146,114,114,146,114,150,152,145,137,209,77,169,169,169,169,169,169,169,169,169,169,114,85,957,957,957,957,957,957,169,135]},"bins": {"c_to_s": [0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 01077{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":200,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":133,"flow_dst_packets_processed":67,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061918126158,"flow_dst_last_pkt_time":1501061918151791,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":915,"flow_src_tot_l4_payload_len":19259,"flow_dst_tot_l4_payload_len":12028,"midstream":0,"thread_ts_usec":1501061918151791,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00577{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":200,"source":"skype-conference-call.pcap","alias":"nDPId-test","packets-captured":200,"packets-processed":200,"total-skipped-flows":0,"total-l4-payload-len":31287,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1501061918151791}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049677 bytes
-~~ total memory freed........: 6049677 bytes
+~~ total memory allocated....: 6049673 bytes
+~~ total memory freed........: 6049673 bytes
 ~~ total allocations/frees...: 121689/121689
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 506 chars
-~~ json string max len.......: 1868 chars
-~~ json string avg len.......: 1136 chars
+~~ json string max len.......: 1866 chars
+~~ json string avg len.......: 1135 chars
diff --git a/test/results/skype.pcap.out b/test/results/skype.pcap.out
index 432180346..db1ab3a18 100644
--- a/test/results/skype.pcap.out
+++ b/test/results/skype.pcap.out
@@ -78,7 +78,7 @@
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"skype.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643343414,"flow_dst_last_pkt_time":1431969642337316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"thread_ts_usec":1431969643343414,"pkt":"0NQSxnP1PBXCt3IOCABFAAA+7pYAAEARCKXAqAEiwKgBAf4VADUAKsDYd8YBAAABAAAAAAAABGRzbjQBZAVza3lwZQNuZXQAABwAAQ=="}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"skype.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643486691,"flow_dst_last_pkt_time":1431969642398483,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969643486691,"pkt":"0NQSxnP1PBXCt3IOCABFAABK1twAAEARIFPAqAEiwKgBAd\/IADUANro4UU4BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDYBcgVza3lwZQNuZXQAABwAAQ=="}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"skype.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643486838,"flow_dst_last_pkt_time":1431969642398350,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969643486838,"pkt":"0NQSxnP1PBXCt3IOCABFAABKJUgAAEAR0efAqAEiwKgBAcNGADUANrH\/diQBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDYBcgVza3lwZQNuZXQAAAEAAQ=="}
-01868{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969642444382,"flow_src_last_pkt_time":1431969643732696,"flow_dst_last_pkt_time":1431969643732623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431969643732696,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83114.7,"max":300868,"stddev":84343.9,"var":7113900544.0,"ent":4.2,"data": [75158,75224,28759,111209,161,82580,77181,227,77415,12662,300868,288212,83419,83480,324,86654,86327,3080,96533,93421,270,253866,5,253632,1,362,87184,86820,115773,3,115745,0]},"pktlen": {"min":66,"avg":371.8,"max":1506,"stddev":468.9,"var":219872.6,"ent":4.1,"data": [78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,279,66,66,631,167,1383,1506,71,66]},"bins": {"c_to_s": [10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01866{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969642444382,"flow_src_last_pkt_time":1431969643732696,"flow_dst_last_pkt_time":1431969643732623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431969643732696,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83114.7,"max":300868,"stddev":84343.9,"var":7113900544.0,"ent":4.2,"data": [75158,75224,28759,111209,161,82580,77181,227,77415,12662,300868,288212,83419,83480,324,86654,86327,3080,96533,93421,270,253866,5,253632,1,362,87184,86820,115773,3,115745]},"pktlen": {"min":66,"avg":371.8,"max":1506,"stddev":468.9,"var":219872.6,"ent":4.1,"data": [78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,279,66,66,631,167,1383,1506,71,66]},"bins": {"c_to_s": [10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":109,"source":"skype.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969643944313,"flow_src_last_pkt_time":1431969643944313,"flow_dst_last_pkt_time":1431969643944313,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969643944313,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.33","src_port":50030,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"skype.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1431969643944313,"flow_dst_last_pkt_time":1431969643944313,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969643944313,"pkt":"0NQSxnP1PBXCt3IOCABFAABAYXlAAEAG9xvAqAEiQTffIcNuAbtcUOQ7AAAAALAC\/\/9\/kQAAAgQFtAEDAwUBAQgKPiKRcAAAAAAEAgAA"}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":112,"source":"skype.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969643971809,"flow_src_last_pkt_time":1431969643971809,"flow_dst_last_pkt_time":1431969643971809,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969643971809,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":60288,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -824,7 +824,7 @@
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1528,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":1,"flow_src_last_pkt_time":1431969707326642,"flow_dst_last_pkt_time":1431969707326642,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969707326642,"pkt":"0NQSxnP1PBXCt3IOCABFAABA1ORAAEAGTF\/AqAEiQAQXpsO3Abu4qWeDAAAAALAC\/\/9x6QAAAgQFtAEDAwUBAQgKPiOH3AAAAAAEAgAA"}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1531,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":2,"flow_src_last_pkt_time":1431969707326642,"flow_dst_last_pkt_time":1431969707546419,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1431969707546419,"pkt":"PBXCt3IO0NQSxnP1CABFAAA8AABAADYGK0hABBemwKgBIgG7w7ccEsw5uKlnhKASOJDGigAAAgQFrAQCCApMP087PiOH3AEDAwk="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1532,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":3,"flow_src_last_pkt_time":1431969707546527,"flow_dst_last_pkt_time":1431969707546419,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969707546527,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0EpBAAEAGDsDAqAEiQAQXpsO3Abu4qWeEHBLMOoAQECwc2gAAAQEICj4jiLdMP087"}
-01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1547,"source":"skype.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431969648258514,"flow_src_last_pkt_time":1431969708341272,"flow_dst_last_pkt_time":1431969648258514,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10560,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969708341272,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14698,"avg":1938153.5,"max":19850743,"stddev":5863265.0,"var":34377878732800.0,"ent":1.7,"data": [15861,16704,16998,17146,15818,17029,16643,16363,16834,19850743,15743,18751,14698,83170,16831,19850724,16057,16593,16866,16918,16233,17002,16501,16455,16854,19850599,16277,16449,16736,16676,16486,0]},"pktlen": {"min":327,"avg":372.0,"max":405,"stddev":29.2,"var":851.5,"ent":5.0,"data": [333,351,405,397,327,369,401,347,399,393,333,351,405,397,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1547,"source":"skype.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431969648258514,"flow_src_last_pkt_time":1431969708341272,"flow_dst_last_pkt_time":1431969648258514,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10560,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969708341272,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14698,"avg":1938153.5,"max":19850743,"stddev":5863265.0,"var":34377878732800.0,"ent":1.7,"data": [15861,16704,16998,17146,15818,17029,16643,16363,16834,19850743,15743,18751,14698,83170,16831,19850724,16057,16593,16866,16918,16233,17002,16501,16455,16854,19850599,16277,16449,16736,16676,16486]},"pktlen": {"min":327,"avg":372.0,"max":405,"stddev":29.2,"var":851.5,"ent":5.0,"data": [333,351,405,397,327,369,401,347,399,393,333,351,405,397,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1578,"source":"skype.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969659392325,"flow_src_last_pkt_time":1431969659392325,"flow_dst_last_pkt_time":1431969659392325,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710229250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.24","src_port":13021,"dst_port":40001,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1578,"source":"skype.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969660403962,"flow_src_last_pkt_time":1431969660403962,"flow_dst_last_pkt_time":1431969660403962,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710229250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.21","src_port":13021,"dst_port":40004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1578,"source":"skype.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969656410539,"flow_src_last_pkt_time":1431969656410539,"flow_dst_last_pkt_time":1431969656410539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710229250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.33","src_port":13021,"dst_port":40011,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -903,7 +903,7 @@
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1625,"source":"skype.pcap","alias":"nDPId-test","flow_id":232,"flow_packet_id":3,"flow_src_last_pkt_time":1431969712981073,"flow_dst_last_pkt_time":1431969712980992,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969712981073,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoyL5AAEAGfAvAqAEiW77YfcO9MD57jsMtWI4CD1AQIAAMeQAA"}
 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1632,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":2,"flow_src_last_pkt_time":1431969713175058,"flow_dst_last_pkt_time":1431969712913984,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969713175058,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoTzkAAEARqBjAqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1633,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":2,"flow_src_last_pkt_time":1431969713177253,"flow_dst_last_pkt_time":1431969712918145,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431969713177253,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYIAAEAB8QPAqAEBwKgBIgMDgJYAAAAARQAAKE85AABAEagYwKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="}
-01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":176171.6,"max":964718,"stddev":204459.3,"var":41803603968.0,"ent":4.2,"data": [243983,244064,543,204260,761004,964718,546,202004,201464,40219,40223,162241,162248,40183,40179,200900,6,200973,204113,204068,127,240781,240640,207489,6,207586,2955,4516,199645,198010,41627,0]},"pktlen": {"min":66,"avg":178.6,"max":1506,"stddev":286.0,"var":81813.5,"ent":4.0,"data": [78,74,66,138,66,123,66,74,74,66,66,102,134,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,619,549,66]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1]}}
+01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":176171.6,"max":964718,"stddev":204459.3,"var":41803603968.0,"ent":4.2,"data": [243983,244064,543,204260,761004,964718,546,202004,201464,40219,40223,162241,162248,40183,40179,200900,6,200973,204113,204068,127,240781,240640,207489,6,207586,2955,4516,199645,198010,41627]},"pktlen": {"min":66,"avg":178.6,"max":1506,"stddev":286.0,"var":81813.5,"ent":4.0,"data": [78,74,66,138,66,123,66,74,74,66,66,102,134,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,619,549,66]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1]}}
 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1659,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":3,"flow_src_last_pkt_time":1431969713715848,"flow_dst_last_pkt_time":1431969712913984,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969713715848,"pkt":"0NQSxnP1PBXCt3IOCABFAAAorjMAAEARSR7AqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":3,"flow_src_last_pkt_time":1431969713717677,"flow_dst_last_pkt_time":1431969712918145,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431969713717677,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYMAAEAB8QLAqAEBwKgBIgMDgJYAAAAARQAAKK4zAABAEUkewKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="}
@@ -981,7 +981,7 @@
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1857,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":1,"flow_src_last_pkt_time":1431969716182666,"flow_dst_last_pkt_time":1431969716182666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969716182666,"pkt":"0NQSxnP1PBXCt3IOCABFAABAI3FAAEAG8D7AqAEiUYUTucPKrY8W93X3AAAAALAC\/\/8pggAAAgQFtAEDAwUBAQgKPiOqBgAAAAAEAgAA"}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1877,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":2,"flow_src_last_pkt_time":1431969716182666,"flow_dst_last_pkt_time":1431969716265530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969716265530,"pkt":"PBXCt3IO0NQSxnP1CABFAABAivNAADAGmLxRhRO5wKgBIq2Pw8rX0EaLFvd1+LAS\/\/\/WdwAAAgQFrAEDAwUBAQgKArAx9T4jqgYEAgAA"}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1878,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716265616,"flow_dst_last_pkt_time":1431969716265530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969716265616,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0OVVAAEAG2mbAqAEiUYUTucPKrY8W93X419BGjIAQECwFxAAAAQEICj4jqlUCsDH1"}
-01570{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":62827.2,"max":199756,"stddev":60860.2,"var":3703968000.0,"ent":4.2,"data": [83391,83495,120,64053,63956,403,68492,68085,2947,71202,68249,199756,199749,154162,154128,2646,133845,131248,179,107,71,64327,8428,55511,127901,188,164,70489,3,70121,226,0]},"pktlen": {"min":66,"avg":173.8,"max":1249,"stddev":252.0,"var":63524.5,"ent":4.2,"data": [78,74,66,126,113,66,83,80,66,820,80,66,66,70,1249,66,623,166,144,94,133,123,66,66,146,66,94,87,361,66,66,93]},"bins": {"c_to_s": [14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0]}}
+01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":62827.2,"max":199756,"stddev":60860.2,"var":3703968000.0,"ent":4.2,"data": [83391,83495,120,64053,63956,403,68492,68085,2947,71202,68249,199756,199749,154162,154128,2646,133845,131248,179,107,71,64327,8428,55511,127901,188,164,70489,3,70121,226]},"pktlen": {"min":66,"avg":173.8,"max":1249,"stddev":252.0,"var":63524.5,"ent":4.2,"data": [78,74,66,126,113,66,83,80,66,820,80,66,66,70,1249,66,623,166,144,94,133,123,66,66,146,66,94,87,361,66,66,93]},"bins": {"c_to_s": [14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0]}}
 00813{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 01183{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1947,"source":"skype.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716797621,"flow_dst_last_pkt_time":1431969656652360,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1431969716797621,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAAISY\/IAAEARUx\/AqAEi\/\/\/\/\/0RcRFwB\/vqceyJob3N0X2ludCI6IDE1NzMxOTU0NDUsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="}
 01178{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1948,"source":"skype.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716797900,"flow_dst_last_pkt_time":1431969656652710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1431969716797900,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAAISf8oAAEARdJ\/AqAEiwKgB\/0RcRFwB\/jf1eyJob3N0X2ludCI6IDE1NzMxOTU0NDUsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="}
@@ -1031,7 +1031,7 @@
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2164,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":1,"flow_src_last_pkt_time":1431969719561453,"flow_dst_last_pkt_time":1431969719561453,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969719561453,"pkt":"0NQSxnP1PBXCt3IOCABFAABAR+5AAEAG+sPAqAEiW77afcPRMD4OYtZAAAAAALAC\/\/9xPAAAAgQFtAEDAwUBAQgKPiO25AAAAAAEAgAA"}
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2177,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":2,"flow_src_last_pkt_time":1431969719561453,"flow_dst_last_pkt_time":1431969719623289,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969719623289,"pkt":"PBXCt3IO0NQSxnP1CABFAAA0Hj5AAPQGcH9bvtp9wKgBIjA+w9E3PWT9DmLWQYASH\/7iJQAAAgQFoAEDAwQBAQQC"}
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2180,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":3,"flow_src_last_pkt_time":1431969719623434,"flow_dst_last_pkt_time":1431969719623289,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969719623434,"pkt":"0NQSxnP1PBXCt3IOCABFAAAo4VtAAEAGYW7AqAEiW77afcPRMD4OYtZBNz1k\/lAQIAAi3wAA"}
-01837{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2213,"source":"skype.pcap","alias":"nDPId-test","flow_id":260,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1431969719110749,"flow_src_last_pkt_time":1431969720072924,"flow_dst_last_pkt_time":1431969720249898,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2665,"flow_dst_tot_l4_payload_len":3500,"midstream":0,"thread_ts_usec":1431969720249898,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":50128,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":67784.6,"max":604696,"stddev":135914.5,"var":18472736768.0,"ent":3.0,"data": [148679,148806,840,151642,7,49,150807,1,231,1,31483,95,153251,682,32561,5239,16750,14,176748,67,2129,1532,4,3534,1,449491,70,604696,5454,16453,7,0]},"pktlen": {"min":54,"avg":248.9,"max":1494,"stddev":350.9,"var":123149.1,"ent":4.0,"data": [78,60,54,287,60,146,91,54,54,60,91,680,620,60,60,60,60,387,90,54,54,1494,1221,80,54,54,673,632,60,60,387,90]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01835{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2213,"source":"skype.pcap","alias":"nDPId-test","flow_id":260,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1431969719110749,"flow_src_last_pkt_time":1431969720072924,"flow_dst_last_pkt_time":1431969720249898,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2665,"flow_dst_tot_l4_payload_len":3500,"midstream":0,"thread_ts_usec":1431969720249898,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":50128,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":67784.6,"max":604696,"stddev":135914.5,"var":18472736768.0,"ent":3.0,"data": [148679,148806,840,151642,7,49,150807,1,231,1,31483,95,153251,682,32561,5239,16750,14,176748,67,2129,1532,4,3534,1,449491,70,604696,5454,16453,7]},"pktlen": {"min":54,"avg":248.9,"max":1494,"stddev":350.9,"var":123149.1,"ent":4.0,"data": [78,60,54,287,60,146,91,54,54,60,91,680,620,60,60,60,60,387,90,54,54,1494,1221,80,54,54,673,632,60,60,387,90]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":108,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969666429312,"flow_src_last_pkt_time":1431969666429312,"flow_dst_last_pkt_time":1431969666429312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720514647,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.26","src_port":13021,"dst_port":40026,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969666429312,"flow_src_last_pkt_time":1431969666429312,"flow_dst_last_pkt_time":1431969666429312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720514647,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.47","src_port":13021,"dst_port":40029,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":104,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969665416767,"flow_src_last_pkt_time":1431969665416767,"flow_dst_last_pkt_time":1431969665416767,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720514647,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"64.4.23.146","src_port":13021,"dst_port":33033,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -1074,7 +1074,7 @@
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556330,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556330,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":56387,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_packet_id":1,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969720556330,"pkt":"0NQSxnP1PBXCt3IOCABFAABK65gAAEARC5fAqAEiwKgBAdxDADUANtEePu0BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAABwAAQ=="}
 01019{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556330,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556330,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":56387,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"335.0.7.7.3.rst5.r.skype.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-01605{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":104,"avg":325100.5,"max":1782015,"stddev":509745.4,"var":259840393216.0,"ent":3.6,"data": [60786,60878,104,60135,60019,392,72414,72021,2895,63202,60274,262292,262312,157419,157474,3644,187775,184138,1852,62855,110047,171036,158,63674,63522,1468105,1782015,746099,1060012,1410290,1410276,0]},"pktlen": {"min":66,"avg":157.3,"max":1190,"stddev":243.1,"var":59118.2,"ent":4.1,"data": [78,74,66,111,127,66,82,80,66,819,80,66,66,70,1190,66,623,111,102,86,66,109,66,95,94,66,103,66,104,66,105,66]},"bins": {"c_to_s": [14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0]}}
+01603{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":104,"avg":325100.5,"max":1782015,"stddev":509745.4,"var":259840393216.0,"ent":3.6,"data": [60786,60878,104,60135,60019,392,72414,72021,2895,63202,60274,262292,262312,157419,157474,3644,187775,184138,1852,62855,110047,171036,158,63674,63522,1468105,1782015,746099,1060012,1410290,1410276]},"pktlen": {"min":66,"avg":157.3,"max":1190,"stddev":243.1,"var":59118.2,"ent":4.1,"data": [78,74,66,111,127,66,82,80,66,819,80,66,66,70,1190,66,623,111,102,86,66,109,66,95,94,66,103,66,104,66,105,66]},"bins": {"c_to_s": [14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0]}}
 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2273,"source":"skype.pcap","alias":"nDPId-test","flow_id":262,"flow_packet_id":2,"flow_src_last_pkt_time":1431969721596689,"flow_dst_last_pkt_time":1431969720556111,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969721596689,"pkt":"0NQSxnP1PBXCt3IOCABFAABKt0gAAEARP+fAqAEiwKgBAc4GADUANhjrBXkBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAAAEAAQ=="}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2274,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_packet_id":2,"flow_src_last_pkt_time":1431969721596772,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969721596772,"pkt":"0NQSxnP1PBXCt3IOCABFAABKslEAAEARRN7AqAEiwKgBAdxDADUANtEePu0BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAABwAAQ=="}
@@ -1193,7 +1193,7 @@
 00932{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2553,"source":"skype.pcap","alias":"nDPId-test","flow_id":199,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969689470981,"flow_src_last_pkt_time":1431969689470981,"flow_dst_last_pkt_time":1431969689470981,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969740588701,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"213.199.179.152","src_port":13021,"dst_port":40023,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2553,"source":"skype.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":0,"flow_first_seen":1431969642337316,"flow_src_last_pkt_time":1431969668794605,"flow_dst_last_pkt_time":1431969642337316,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":34,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":34,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969740588701,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":65045,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00932{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2553,"source":"skype.pcap","alias":"nDPId-test","flow_id":206,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969691496472,"flow_src_last_pkt_time":1431969691496472,"flow_dst_last_pkt_time":1431969691496472,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969740588701,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"213.199.179.145","src_port":13021,"dst_port":40027,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01611{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1926523.6,"max":25523822,"stddev":6196933.5,"var":38401982070784.0,"ent":2.0,"data": [228112,228245,119,219602,219451,352,214503,214173,209707,209682,96,381818,2061048,2011661,148181,480497,212142,212191,3594,275159,271497,162,220246,3,220142,134,216099,215969,136225,25387599,25523822,0]},"pktlen": {"min":66,"avg":156.5,"max":1090,"stddev":232.3,"var":53983.1,"ent":4.1,"data": [78,78,66,123,101,66,83,80,66,80,66,70,66,843,66,1090,66,156,66,623,108,134,93,66,112,66,95,122,66,66,81,66]},"bins": {"c_to_s": [14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0]}}
+01609{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1926523.6,"max":25523822,"stddev":6196933.5,"var":38401982070784.0,"ent":2.0,"data": [228112,228245,119,219602,219451,352,214503,214173,209707,209682,96,381818,2061048,2011661,148181,480497,212142,212191,3594,275159,271497,162,220246,3,220142,134,216099,215969,136225,25387599,25523822]},"pktlen": {"min":66,"avg":156.5,"max":1090,"stddev":232.3,"var":53983.1,"ent":4.1,"data": [78,78,66,123,101,66,83,80,66,80,66,70,66,843,66,1090,66,156,66,623,108,134,93,66,112,66,95,122,66,66,81,66]},"bins": {"c_to_s": [14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0]}}
 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2593,"source":"skype.pcap","alias":"nDPId-test","flow_id":274,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969745776534,"flow_src_last_pkt_time":1431969745776534,"flow_dst_last_pkt_time":1431969745776534,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969745776534,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"239.255.255.250","src_port":56886,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00681{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2593,"source":"skype.pcap","alias":"nDPId-test","flow_id":274,"flow_packet_id":1,"flow_src_last_pkt_time":1431969745776534,"flow_dst_last_pkt_time":1431969745776534,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1431969745776534,"pkt":"AQBef\/\/6PBXCt3IOCABFAACh3hQAAAERKXPAqAEi7\/\/\/+t42B2wAjVUWTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KTVg6IDINCkhPU1Q6IDIzOS4yNTUuMjU1LjI1MDoxOTAwDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KU1Q6IHVybjpzY2hlbWFzLXVwbnAtb3JnOnNlcnZpY2U6V0FOUFBQQ29ubmVjdGlvbjoxDQoNCg=="}
@@ -1494,7 +1494,7 @@
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969653376578,"flow_src_last_pkt_time":1431969653376578,"flow_dst_last_pkt_time":1431969653376578,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":13021,"dst_port":40026,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969653376411,"flow_src_last_pkt_time":1431969653376411,"flow_dst_last_pkt_time":1431969653376411,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.55.130.155","src_port":13021,"dst_port":40020,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969654389222,"flow_src_last_pkt_time":1431969654389222,"flow_dst_last_pkt_time":1431969654389222,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.55.235.176","src_port":13021,"dst_port":40022,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01614{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1348559.6,"max":30125563,"stddev":5301136.0,"var":28102044418048.0,"ent":1.9,"data": [214728,214808,140,223488,223372,360,217535,217176,213636,213655,98,315319,2988490,3022192,145311,494208,215912,215930,3576,275623,272053,209,291401,291140,160,74979,137019,211866,164254,30125563,821148,0]},"pktlen": {"min":66,"avg":155.4,"max":1090,"stddev":232.5,"var":54056.9,"ent":4.1,"data": [78,78,66,106,101,66,83,80,66,80,66,70,66,842,66,1090,66,156,66,622,101,146,95,111,66,95,66,114,66,66,66,66]},"bins": {"c_to_s": [15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0]}}
+01612{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1348559.6,"max":30125563,"stddev":5301136.0,"var":28102044418048.0,"ent":1.9,"data": [214728,214808,140,223488,223372,360,217535,217176,213636,213655,98,315319,2988490,3022192,145311,494208,215912,215930,3576,275623,272053,209,291401,291140,160,74979,137019,211866,164254,30125563,821148]},"pktlen": {"min":66,"avg":155.4,"max":1090,"stddev":232.5,"var":54056.9,"ent":4.1,"data": [78,78,66,106,101,66,83,80,66,80,66,70,66,842,66,1090,66,156,66,622,101,146,95,111,66,95,66,114,66,66,66,66]},"bins": {"c_to_s": [15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0]}}
 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00808{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":3284,"source":"skype.pcap","alias":"nDPId-test","flow_id":221,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":4,"flow_first_seen":1431969704664322,"flow_src_last_pkt_time":1431969723753428,"flow_dst_last_pkt_time":1431969723753303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":1431969808951480,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":50098,"dst_port":40026,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00763{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3284,"source":"skype.pcap","alias":"nDPId-test","flow_id":221,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":4,"flow_first_seen":1431969704664322,"flow_src_last_pkt_time":1431969723753428,"flow_dst_last_pkt_time":1431969723753303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":1431969808951480,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":50098,"dst_port":40026,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -1866,10 +1866,10 @@
 ~~ total active/idle flows...: 293/293
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6826228 bytes
-~~ total memory freed........: 6826228 bytes
+~~ total memory allocated....: 6825056 bytes
+~~ total memory freed........: 6825056 bytes
 ~~ total allocations/frees...: 127591/127591
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1873 chars
-~~ json string avg len.......: 1181 chars
+~~ json string max len.......: 1871 chars
+~~ json string avg len.......: 1180 chars
diff --git a/test/results/skype_no_unknown.pcap.out b/test/results/skype_no_unknown.pcap.out
index 95886c6c9..cec1e8b7c 100644
--- a/test/results/skype_no_unknown.pcap.out
+++ b/test/results/skype_no_unknown.pcap.out
@@ -79,7 +79,7 @@
 01007{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":72,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636044810,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636044810,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":197,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1431970636044810,"l3_proto":"ip4","src_ip":"17.143.160.149","dst_ip":"192.168.1.34","src_port":5223,"dst_port":50407,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636044874,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431970636044874,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0K69AAEAGmybAqAEiEY+glcTnFGcgAvEUyi6rq4AQD\/mVBgAAAQEICj4xjDlVV93M"}
 00658{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636045750,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":156,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":156,"pkt_l4_len":122,"thread_ts_usec":1431970636045750,"pkt":"0NQSxnP1PBXCt3IOCABFAACO6xNAAEAG22fAqAEiEY+glcTnFGcgAvEUyi6rq4AYEAB7VwAAAQEICj4xjDlVV93MFwMBACDcBm8C5CuEds5WH7uOVSaoSAeWe3pVfjpiQwGsBHUCdhcDAQAwqX6WBIxQfVe36rHY2TMg9Ev1HCHJmLbDku3Ki37TObTq6YVIEEF1VGVKw\/q+D6y6"}
-01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970634729598,"flow_src_last_pkt_time":1431970635881910,"flow_dst_last_pkt_time":1431970636210299,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431970636210299,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":84935.9,"max":302172,"stddev":91274.9,"var":8331100672.0,"ent":4.1,"data": [75602,75664,27532,108847,162,81462,75632,793,76430,15396,302172,286823,74727,74702,490,91055,90550,1676,83562,81907,257,247113,246931,287,176,301,92281,92015,289787,38677,4,0]},"pktlen": {"min":66,"avg":371.8,"max":1506,"stddev":468.9,"var":219872.6,"ent":4.1,"data": [78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,66,279,66,631,167,1383,66,1506,71]},"bins": {"c_to_s": [9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01879{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970634729598,"flow_src_last_pkt_time":1431970635881910,"flow_dst_last_pkt_time":1431970636210299,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431970636210299,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":84935.9,"max":302172,"stddev":91274.9,"var":8331100672.0,"ent":4.1,"data": [75602,75664,27532,108847,162,81462,75632,793,76430,15396,302172,286823,74727,74702,490,91055,90550,1676,83562,81907,257,247113,246931,287,176,301,92281,92015,289787,38677,4]},"pktlen": {"min":66,"avg":371.8,"max":1506,"stddev":468.9,"var":219872.6,"ent":4.1,"data": [78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,66,279,66,631,167,1383,66,1506,71]},"bins": {"c_to_s": [9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636300980,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970636300980,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":50055,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970636300980,"pkt":"0NQSxnP1PBXCt3IOCABFAABLV\/cAAEARnzfAqAEiwKgBAcOHADUANwqgVG4BAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAABAAE="}
 01027{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636300980,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970636300980,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":50055,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"pipe.prd.skypedata.akadns.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -111,7 +111,7 @@
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1431970637443973,"flow_dst_last_pkt_time":1431970635325136,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"thread_ts_usec":1431970637443973,"pkt":"0NQSxnP1PBXCt3IOCABFAAA6+FgAAEAR\/ubAqAEiwKgBAfgaADUAJptGWcsBAAABAAAAAAAAAnVpBXNreXBlA2NvbQAAAQAB"}
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1431970638471236,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970638471236,"pkt":"0NQSxnP1PBXCt3IOCABFAABLoPEAAEARVj3AqAEiwKgBAcOHADUANwqgVG4BAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAABAAE="}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1431970638471318,"flow_dst_last_pkt_time":1431970636301275,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970638471318,"pkt":"0NQSxnP1PBXCt3IOCABFAABL\/NIAAEAR+lvAqAEiwKgBAcopADUAN1kA5GsBAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAAcAAE="}
-01699{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":448,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431970637197675,"flow_src_last_pkt_time":1431970639484015,"flow_dst_last_pkt_time":1431970639483962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":607,"flow_src_tot_l4_payload_len":3514,"flow_dst_tot_l4_payload_len":2368,"midstream":1,"thread_ts_usec":1431970639484015,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":51227,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":169356.6,"max":1077385,"stddev":340339.8,"var":115831160832.0,"ent":2.7,"data": [72,141755,4583,11838,4,158204,1417,4,1400,933119,61,1077385,3887,16084,4,164206,1860,3,1840,866377,142,1010555,4963,11788,160778,157,141,0,0,0,0,0]},"pktlen": {"min":54,"avg":238.9,"max":680,"stddev":252.7,"var":63877.7,"ent":4.3,"data": [680,622,60,60,387,90,54,54,656,80,54,54,673,630,60,60,387,90,54,54,661,80,54,54,677,556,60,60,387,54,90,54]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01689{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":448,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431970637197675,"flow_src_last_pkt_time":1431970639484015,"flow_dst_last_pkt_time":1431970639483962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":607,"flow_src_tot_l4_payload_len":3514,"flow_dst_tot_l4_payload_len":2368,"midstream":1,"thread_ts_usec":1431970639484015,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":51227,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":169356.6,"max":1077385,"stddev":340339.8,"var":115831160832.0,"ent":2.7,"data": [72,141755,4583,11838,4,158204,1417,4,1400,933119,61,1077385,3887,16084,4,164206,1860,3,1840,866377,142,1010555,4963,11788,160778,157,141]},"pktlen": {"min":54,"avg":238.9,"max":680,"stddev":252.7,"var":63877.7,"ent":4.3,"data": [680,622,60,60,387,90,54,54,656,80,54,54,673,630,60,60,387,90,54,54,661,80,54,54,677,556,60,60,387,54,90,54]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970642408833,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970642408833,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00579{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1431970642408833,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAABOkRoAAEARZRPAqAEiwKgB\/wCJAIkAOosFRXIBEAABAAAAAAAAIEFCQUNGUEZQRU5GREVDRkNFUEZIRkRFRkZQRlBBQ0FCAAAgAAE="}
 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970642408833,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970642408833,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"__msbrowse__"}}
@@ -817,7 +817,7 @@
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1353,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":228,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686381625,"flow_dst_last_pkt_time":1431970686381504,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970686381625,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoqoZAAEAGmEPAqAEiW77afchVMD6WWeS3Rpk1L1AQIACoYAAA"}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1361,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":225,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686624286,"flow_dst_last_pkt_time":1431970685835490,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970686624286,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoWF8AAEARnvLAqAEiwKgBAeasFOcAFAzzAAEAADLdMt0AAA4Q"}
 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1362,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686627227,"flow_dst_last_pkt_time":1431970685839326,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431970686627227,"pkt":"PBXCt3IO0NQSxnP1CABFwABElr8AAEABX8bAqAEBwKgBIgMDgJYAAAAARQAAKFhfAABAEZ7ywKgBIsCoAQHmrBTnABQM8wABAAAy3TLdAAAOEA=="}
-01608{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":244603.4,"max":1296903,"stddev":277928.5,"var":77244252160.0,"ent":4.1,"data": [1006187,1296903,290818,554,292771,2163,294344,530,293322,292842,39566,39558,253265,253274,40127,40121,350396,3,350380,293934,293924,133,334278,334179,299989,7,300043,2124,4226,292441,290303,0]},"pktlen": {"min":66,"avg":180.6,"max":1506,"stddev":288.6,"var":83264.9,"ent":4.0,"data": [78,78,74,66,116,66,169,66,74,74,66,66,112,95,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,617,609]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0]}}
+01606{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":244603.4,"max":1296903,"stddev":277928.5,"var":77244252160.0,"ent":4.1,"data": [1006187,1296903,290818,554,292771,2163,294344,530,293322,292842,39566,39558,253265,253274,40127,40121,350396,3,350380,293934,293924,133,334278,334179,299989,7,300043,2124,4226,292441,290303]},"pktlen": {"min":66,"avg":180.6,"max":1506,"stddev":288.6,"var":83264.9,"ent":4.0,"data": [78,78,74,66,116,66,169,66,74,74,66,66,112,95,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,617,609]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0]}}
 00826{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1372,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":229,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970686843964,"flow_src_last_pkt_time":1431970686843964,"flow_dst_last_pkt_time":1431970686843964,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970686843964,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"91.190.218.125","src_port":51286,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1372,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":229,"flow_packet_id":1,"flow_src_last_pkt_time":1431970686843964,"flow_dst_last_pkt_time":1431970686843964,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970686843964,"pkt":"0NQSxnP1PBXCt3IOCABFAABAXdpAAEAG5NfAqAEiW77afchWAbv9gi8BAAAAALAC\/\/+4gAAAAgQFtAEDAwUBAQgKPjJRrgAAAAAEAgAA"}
@@ -931,7 +931,7 @@
 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1755,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":251,"flow_packet_id":3,"flow_src_last_pkt_time":1431970693239613,"flow_dst_last_pkt_time":1431970693239490,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970693239613,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoI6NAAEAGISfAqAEiW77YfchmAbumoVhkgmR6JFAQIADUHQAA"}
 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1790,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970694308651,"flow_src_last_pkt_time":1431970694308651,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970694308651,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"80.121.84.93","src_port":51303,"dst_port":62381,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1790,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":1,"flow_src_last_pkt_time":1431970694308651,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970694308651,"pkt":"0NQSxnP1PBXCt3IOCABFAABA0wpAAEAGAQ3AqAEiUHlUXchn861MQWgbAAAAALAC\/\/+zaQAAAgQFtAEDAwUBAQgKPjJuTgAAAAAEAgAA"}
-01611{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":281313.8,"max":2004084,"stddev":501089.8,"var":251090993152.0,"ent":3.5,"data": [69753,69875,128,64112,63941,396,65391,64977,1952,66745,64884,268026,267948,126507,126511,3724,173414,169731,172,68870,95737,164424,174,67018,66860,198434,1936170,2004084,795927,1062252,592589,0]},"pktlen": {"min":66,"avg":157.2,"max":1190,"stddev":243.0,"var":59065.6,"ent":4.1,"data": [78,74,66,131,94,66,82,80,66,818,80,66,66,70,1190,66,622,109,110,92,66,109,66,93,87,66,66,104,66,105,66,111]},"bins": {"c_to_s": [13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1]}}
+01609{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":281313.8,"max":2004084,"stddev":501089.8,"var":251090993152.0,"ent":3.5,"data": [69753,69875,128,64112,63941,396,65391,64977,1952,66745,64884,268026,267948,126507,126511,3724,173414,169731,172,68870,95737,164424,174,67018,66860,198434,1936170,2004084,795927,1062252,592589]},"pktlen": {"min":66,"avg":157.2,"max":1190,"stddev":243.0,"var":59065.6,"ent":4.1,"data": [78,74,66,131,94,66,82,80,66,818,80,66,66,70,1190,66,622,109,110,92,66,109,66,93,87,66,66,104,66,105,66,111]},"bins": {"c_to_s": [13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1]}}
 00825{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":2,"flow_src_last_pkt_time":1431970695316316,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970695316316,"pkt":"0NQSxnP1PBXCt3IOCABFAABAwedAAEAGEjDAqAEiUHlUXchn861MQWgbAAAAALAC\/\/+vgAAAAgQFtAEDAwUBAQgKPjJyNwAAAAAEAgAA"}
 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1817,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":253,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970695865959,"flow_src_last_pkt_time":1431970695865959,"flow_dst_last_pkt_time":1431970695865959,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970695865959,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"149.13.32.15","src_port":51305,"dst_port":13392,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -1051,7 +1051,7 @@
 00770{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970707911507,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970707911507,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"133.236.67.25","src_port":13021,"dst_port":49195,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_packet_id":1,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1431970707911507,"pkt":"0NQSxnP1PBXCt3IOCABFAAAu+nsAAEAR9XPAqAEihexDGTLdwCsAGiMOfdMCo1rvIegrMqRysYXm5vlz"}
 00900{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970707911507,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970707911507,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"133.236.67.25","src_port":13021,"dst_port":49195,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
-01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2139,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431970648367692,"flow_src_last_pkt_time":1431970708344887,"flow_dst_last_pkt_time":1431970648367692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10518,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708344887,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":491,"avg":1934748.2,"max":19856559,"stddev":5865016.5,"var":34398418239488.0,"ent":1.7,"data": [557,584,518,491,526,99678,590,558,630,19856559,16227,16968,16620,16461,16743,19850608,16179,16542,16730,16663,16557,16953,16553,16675,16584,19850616,15995,16653,16828,16721,16628,0]},"pktlen": {"min":327,"avg":370.7,"max":405,"stddev":29.1,"var":844.3,"ent":5.0,"data": [333,351,405,397,327,369,401,347,399,393,327,369,401,347,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2139,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431970648367692,"flow_src_last_pkt_time":1431970708344887,"flow_dst_last_pkt_time":1431970648367692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10518,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708344887,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":491,"avg":1934748.2,"max":19856559,"stddev":5865016.5,"var":34398418239488.0,"ent":1.7,"data": [557,584,518,491,526,99678,590,558,630,19856559,16227,16968,16620,16461,16743,19850608,16179,16542,16730,16663,16557,16953,16553,16675,16584,19850616,15995,16653,16828,16721,16628]},"pktlen": {"min":327,"avg":370.7,"max":405,"stddev":29.1,"var":844.3,"ent":5.0,"data": [333,351,405,397,327,369,401,347,399,393,327,369,401,347,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2145,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":267,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970708715662,"flow_src_last_pkt_time":1431970708715662,"flow_dst_last_pkt_time":1431970708715662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708715662,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"212.161.8.36","src_port":51319,"dst_port":13392,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2145,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":267,"flow_packet_id":1,"flow_src_last_pkt_time":1431970708715662,"flow_dst_last_pkt_time":1431970708715662,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970708715662,"pkt":"0NQSxnP1PBXCt3IOCABFAABAWHtAAEAGQ63AqAEi1KEIJMh3NFBvQ5mUAAAAALAC\/\/+uawAAAgQFtAEDAwUBAQgKPjKmLwAAAAAEAgAA"}
 00941{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2146,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":233,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970687262098,"flow_src_last_pkt_time":1431970687262098,"flow_dst_last_pkt_time":1431970687262098,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708726988,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"189.188.134.174","src_port":13021,"dst_port":22436,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -1394,10 +1394,10 @@
 ~~ total active/idle flows...: 267/267
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6708126 bytes
-~~ total memory freed........: 6708126 bytes
+~~ total memory allocated....: 6707058 bytes
+~~ total memory freed........: 6707058 bytes
 ~~ total allocations/frees...: 126318/126318
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 200 chars
-~~ json string max len.......: 1886 chars
-~~ json string avg len.......: 1043 chars
+~~ json string max len.......: 1884 chars
+~~ json string avg len.......: 1042 chars
diff --git a/test/results/skype_udp.pcap.out b/test/results/skype_udp.pcap.out
index d94bb7147..2c7c52967 100644
--- a/test/results/skype_udp.pcap.out
+++ b/test/results/skype_udp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035790 bytes
-~~ total memory freed........: 6035790 bytes
+~~ total memory allocated....: 6035786 bytes
+~~ total memory freed........: 6035786 bytes
 ~~ total allocations/frees...: 121492/121492
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/smb_deletefile.pcap.out b/test/results/smb_deletefile.pcap.out
index ea393bb41..240d955ad 100644
--- a/test/results/smb_deletefile.pcap.out
+++ b/test/results/smb_deletefile.pcap.out
@@ -5,7 +5,7 @@
 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368315417275,"flow_dst_last_pkt_time":1584368315417275,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":380,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":380,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1584368315417275,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":""}}
 01193{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1584368315417275,"flow_dst_last_pkt_time":1584368315418447,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":554,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":554,"pkt_l4_len":520,"thread_ts_usec":1584368315418447,"pkt":"KDc3AG3I2MuK4S0uCABFAAIcOK5AAIAGO6zAqAG7wKgBdgG93hDyQzIj6KAG5lAYEAjw+QAAAAAB8P5TTUJAAAEAAAAAAAUAAAABAAAAmAAAAJwPAAAAAAAA\/\/4AABEAAAAdAAAAACgAAAAAAAAAAAAAAAAAAAAAAABZAAAAAQAAAPJad+s0itQBeC8Pcpz71QGM0O1xnPvVAYzQ7XGc+9UBACAAAAAAAAAAIAAAAAAAABEAAAAAAAAAEgQAAAoAAABlAAAACgAAAAAAAAAAAAAA\/lNNQkAAAQAAAAAADgAAAAUAAADYAAAAnQ8AAAAAAAD\/\/gAAEQAAAB0AAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAkASACOAAAAAAAAAAAAAAAzwlM5LZjUATN2tkyb+9UBqrZQPC2Y1AHHrtHNIlnVAYD0HQAAAAAAAAAeAAAAAAAgAAAAJgAAAAAAAAAYAEkATgBOAE8AUwBFAH4AMQAuAEUAWABFAAAAq04CAAAAAQBpAG4AbgBvAHMAZQB0AHUAcAAtADUALgA2AC4AMQAuAGUAeABlAAAA\/lNNQkAAAQAAAAAABgADAAUAAAAAAAAAng8AAAAAAAD\/\/gAAEQAAAB0AAAAAKAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1584368315418500,"flow_dst_last_pkt_time":1584368315418447,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1584368315418500,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGtk7AqAF2wKgBu94QAb3ooAbm8kM0F1AQqfyLpgAA"}
-01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317627960,"flow_dst_last_pkt_time":1584368317628867,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":412,"flow_dst_max_l4_payload_len":500,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":3826,"midstream":1,"thread_ts_usec":1584368317628867,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":20,"avg":142654.1,"max":2158424,"stddev":529256.2,"var":280112168960.0,"ent":1.2,"data": [1172,1225,2157281,2158424,1159,87,1253,1160,7461,9355,1883,124,103,75,20,492,151,550,5618,5637,4741,5866,1131,107,1245,1127,130,997,857,25951,26895,0]},"pktlen": {"min":54,"avg":266.6,"max":554,"stddev":190.9,"var":36432.9,"ent":4.6,"data": [434,554,54,378,522,54,394,538,54,466,180,54,554,54,158,154,60,158,54,130,54,394,538,54,434,410,54,298,370,54,402,466]},"bins": {"c_to_s": [10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
+01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317627960,"flow_dst_last_pkt_time":1584368317628867,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":412,"flow_dst_max_l4_payload_len":500,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":3826,"midstream":1,"thread_ts_usec":1584368317628867,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":20,"avg":142654.1,"max":2158424,"stddev":529256.2,"var":280112168960.0,"ent":1.2,"data": [1172,1225,2157281,2158424,1159,87,1253,1160,7461,9355,1883,124,103,75,20,492,151,550,5618,5637,4741,5866,1131,107,1245,1127,130,997,857,25951,26895]},"pktlen": {"min":54,"avg":266.6,"max":554,"stddev":190.9,"var":36432.9,"ent":4.6,"data": [434,554,54,378,522,54,394,538,54,466,180,54,554,54,158,154,60,158,54,130,54,394,538,54,434,410,54,298,370,54,402,466]},"bins": {"c_to_s": [10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00934{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":101,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":39,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317802053,"flow_dst_last_pkt_time":1584368317801987,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":476,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":11034,"flow_dst_tot_l4_payload_len":14218,"midstream":1,"thread_ts_usec":1584368317802053,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}}
 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":101,"source":"smb_deletefile.pcap","alias":"nDPId-test","packets-captured":101,"packets-processed":101,"total-skipped-flows":0,"total-l4-payload-len":25252,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1584368317802053}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038574 bytes
-~~ total memory freed........: 6038574 bytes
+~~ total memory allocated....: 6038570 bytes
+~~ total memory freed........: 6038570 bytes
 ~~ total allocations/frees...: 121588/121588
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
-~~ json string max len.......: 1729 chars
-~~ json string avg len.......: 1076 chars
+~~ json string max len.......: 1727 chars
+~~ json string avg len.......: 1075 chars
diff --git a/test/results/smb_frags.pcap.out b/test/results/smb_frags.pcap.out
index 8cae8167b..6dd606770 100644
--- a/test/results/smb_frags.pcap.out
+++ b/test/results/smb_frags.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037958 bytes
-~~ total memory freed........: 6037958 bytes
+~~ total memory allocated....: 6037954 bytes
+~~ total memory freed........: 6037954 bytes
 ~~ total allocations/frees...: 121498/121498
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/smbv1.pcap.out b/test/results/smbv1.pcap.out
index 404052c8f..b606e5ebd 100644
--- a/test/results/smbv1.pcap.out
+++ b/test/results/smbv1.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037929 bytes
-~~ total memory freed........: 6037929 bytes
+~~ total memory allocated....: 6037925 bytes
+~~ total memory freed........: 6037925 bytes
 ~~ total allocations/frees...: 121497/121497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/smpp_in_general.pcap.out b/test/results/smpp_in_general.pcap.out
index 1e0b5e9b3..bdf4ce745 100644
--- a/test/results/smpp_in_general.pcap.out
+++ b/test/results/smpp_in_general.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038186 bytes
-~~ total memory freed........: 6038186 bytes
+~~ total memory allocated....: 6038182 bytes
+~~ total memory freed........: 6038182 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/smtp-starttls.pcap.out b/test/results/smtp-starttls.pcap.out
index 7f60ff182..b6b406dba 100644
--- a/test/results/smtp-starttls.pcap.out
+++ b/test/results/smtp-starttls.pcap.out
@@ -9,7 +9,7 @@
 01016{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124864532,"flow_dst_last_pkt_time":1388017124864365,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":235,"midstream":0,"thread_ts_usec":1388017124864532,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
 01018{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124864532,"flow_dst_last_pkt_time":1388017124876575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":1653,"midstream":0,"thread_ts_usec":1388017124876575,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
 01018{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124876854,"flow_dst_last_pkt_time":1388017124876863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":3924,"midstream":0,"thread_ts_usec":1388017124876863,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
-01872{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125217215,"flow_dst_last_pkt_time":1388017125228642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1388017125228642,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":29682.5,"max":156957,"stddev":34710.8,"var":1204840832.0,"ent":4.2,"data": [11168,11193,11857,11849,79,11152,39169,67072,28169,11489,12210,262,12322,26,24821,37890,13457,11887,11608,11639,11817,51431,103694,156957,13622,11529,11126,16410,67319,42853,94080,0]},"pktlen": {"min":66,"avg":254.3,"max":1484,"stddev":368.1,"var":135468.5,"ent":4.1,"data": [74,74,66,117,66,94,66,220,76,96,178,1484,1484,66,919,380,276,119,231,127,131,127,66,172,752,66,94,66,142,66,97,147]},"bins": {"c_to_s": [9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
+01870{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125217215,"flow_dst_last_pkt_time":1388017125228642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1388017125228642,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":29682.5,"max":156957,"stddev":34710.8,"var":1204840832.0,"ent":4.2,"data": [11168,11193,11857,11849,79,11152,39169,67072,28169,11489,12210,262,12322,26,24821,37890,13457,11887,11608,11639,11817,51431,103694,156957,13622,11529,11126,16410,67319,42853,94080]},"pktlen": {"min":66,"avg":254.3,"max":1484,"stddev":368.1,"var":135468.5,"ent":4.1,"data": [74,74,66,117,66,94,66,220,76,96,178,1484,1484,66,919,380,276,119,231,127,131,127,66,172,752,66,94,66,142,66,97,147]},"bins": {"c_to_s": [9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00563{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","packets-captured":37,"packets-processed":36,"total-skipped-flows":0,"total-l4-payload-len":6011,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1524746968365832}
 00792{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968365832,"flow_dst_last_pkt_time":1524746968365832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1524746968365832,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00563{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1524746968365832,"flow_dst_last_pkt_time":1524746968365832,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":34525,"pkt_l3_offset":18,"pkt_l4_offset":58,"pkt_len":90,"pkt_l4_len":32,"thread_ts_usec":1524746968365832,"pkt":"tAwlBY4TAAwpwTTcgQAAfYbdYAAAAAAgBkAgAwDeIBYBJfw2gxdOhstyIAMA3iAWASAAAAAACggAUx2KABlaBfS8AAAAAIACIAC67wAAAgQFoAEDAwIBAQQC"}
@@ -18,7 +18,7 @@
 00993{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":43,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968396333,"flow_dst_last_pkt_time":1524746968396833,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":210,"midstream":0,"thread_ts_usec":1524746968396833,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"jw-vm08-int-dns.webernetz.net","smtp": {"user":"","password":"","auth_failed":0}}}
 01042{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":46,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968398581,"flow_dst_last_pkt_time":1524746968397832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":242,"flow_dst_tot_l4_payload_len":240,"midstream":0,"thread_ts_usec":1524746968398581,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968398581,"flow_dst_last_pkt_time":1524746968403958,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":242,"flow_dst_tot_l4_payload_len":1380,"midstream":0,"thread_ts_usec":1524746968403958,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
-01979{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":68,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968661622,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968662121,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19099.3,"max":202908,"stddev":48707.1,"var":2372380928.0,"ent":2.8,"data": [744,995,19017,29506,11113,127,1248,999,1000,6126,12754,624,8625,202034,202908,998,7251,6751,7252,7260,1247,2128,2995,378,21009,21750,990,6762,2,6750,736,0]},"pktlen": {"min":78,"avg":198.5,"max":1218,"stddev":257.1,"var":66086.8,"ent":4.3,"data": [90,90,78,136,128,78,230,88,108,260,1218,204,157,336,245,78,167,121,141,121,113,144,78,1112,78,143,113,122,109,78,109,78]},"bins": {"c_to_s": [7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
+01977{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":68,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968661622,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968662121,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19099.3,"max":202908,"stddev":48707.1,"var":2372380928.0,"ent":2.8,"data": [744,995,19017,29506,11113,127,1248,999,1000,6126,12754,624,8625,202034,202908,998,7251,6751,7252,7260,1247,2128,2995,378,21009,21750,990,6762,2,6750,736]},"pktlen": {"min":78,"avg":198.5,"max":1218,"stddev":257.1,"var":66086.8,"ent":4.3,"data": [90,90,78,136,128,78,230,88,108,260,1218,204,157,336,245,78,167,121,141,121,113,144,78,1112,78,143,113,122,109,78,109,78]},"bins": {"c_to_s": [7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01182{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":17,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968663137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968663137,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}}
 01051{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":19,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125228821,"flow_dst_last_pkt_time":1388017125239930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1524746968663137,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","packets-captured":69,"packets-processed":69,"total-skipped-flows":0,"total-l4-payload-len":9842,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":6,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1524746968663137}
@@ -30,10 +30,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6061636 bytes
-~~ total memory freed........: 6061636 bytes
+~~ total memory allocated....: 6061628 bytes
+~~ total memory freed........: 6061628 bytes
 ~~ total allocations/frees...: 121601/121601
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
-~~ json string max len.......: 1984 chars
-~~ json string avg len.......: 1237 chars
+~~ json string max len.......: 1982 chars
+~~ json string avg len.......: 1236 chars
diff --git a/test/results/smtp.pcap.out b/test/results/smtp.pcap.out
index 447b6c546..778dd86dd 100644
--- a/test/results/smtp.pcap.out
+++ b/test/results/smtp.pcap.out
@@ -5,7 +5,7 @@
 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":934028408568957,"flow_dst_last_pkt_time":934028408569273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":934028408569273,"pkt":"ABB7OEYzAMBPo1fbCABFAAAsFcQAAEAGi4esEHLPwgf4mQAZCE+jURBm5ahCFGASf+Ba2AAAAgQFtAW0"}
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":934028408570091,"flow_dst_last_pkt_time":934028408569273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":934028408570091,"pkt":"AMBPo1fbABB7OEYzCABFAAAoEDRAAD8GUhvCB\/iZrBByzwhPABnlqEIUo1EQZ1AQfXh0\/QAAAAAAAAAA"}
 00936{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408647164,"flow_dst_last_pkt_time":934028408647434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":154,"midstream":0,"thread_ts_usec":934028408647434,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"pigeon.eyrie.af.mil","smtp": {"user":"","password":"","auth_failed":0}}}
-01670{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408659170,"flow_dst_last_pkt_time":934028408659389,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":469,"flow_dst_tot_l4_payload_len":576,"midstream":0,"thread_ts_usec":934028408659389,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":316,"avg":5827.3,"max":55118,"stddev":11962.2,"var":143094448.0,"ent":3.2,"data": [316,1134,19693,31096,24595,55118,2208,21382,1142,1166,1125,1230,1225,1086,1083,1063,1064,1068,1066,1077,1106,1085,1057,1068,1067,1048,1046,1060,1062,1055,1054,0]},"pktlen": {"min":60,"avg":87.6,"max":138,"stddev":15.2,"var":230.1,"ent":5.0,"data": [60,60,60,138,60,76,60,80,76,98,90,97,93,92,93,92,94,93,93,92,93,92,94,93,92,91,91,90,94,93,92,91]},"bins": {"c_to_s": [5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}}
+01668{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408659170,"flow_dst_last_pkt_time":934028408659389,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":469,"flow_dst_tot_l4_payload_len":576,"midstream":0,"thread_ts_usec":934028408659389,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":316,"avg":5827.3,"max":55118,"stddev":11962.2,"var":143094448.0,"ent":3.2,"data": [316,1134,19693,31096,24595,55118,2208,21382,1142,1166,1125,1230,1225,1086,1083,1063,1064,1068,1066,1077,1106,1085,1057,1068,1067,1048,1046,1060,1062,1055,1054]},"pktlen": {"min":60,"avg":87.6,"max":138,"stddev":15.2,"var":230.1,"ent":5.0,"data": [60,60,60,138,60,76,60,80,76,98,90,97,93,92,93,92,94,93,93,92,93,92,94,93,92,91,91,90,94,93,92,91]},"bins": {"c_to_s": [5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00899{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":44,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408801393,"flow_dst_last_pkt_time":934028408801610,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":16527,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":934028408801610,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","packets-captured":95,"packets-processed":95,"total-skipped-flows":0,"total-l4-payload-len":17955,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":934028408801610}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -16,10 +16,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040448 bytes
-~~ total memory freed........: 6040448 bytes
+~~ total memory allocated....: 6040444 bytes
+~~ total memory freed........: 6040444 bytes
 ~~ total allocations/frees...: 121583/121583
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1675 chars
-~~ json string avg len.......: 1029 chars
+~~ json string max len.......: 1673 chars
+~~ json string avg len.......: 1028 chars
diff --git a/test/results/smtps.pcapng.out b/test/results/smtps.pcapng.out
index 9f095ce9c..1afd81042 100644
--- a/test/results/smtps.pcapng.out
+++ b/test/results/smtps.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039865 bytes
-~~ total memory freed........: 6039865 bytes
+~~ total memory allocated....: 6039861 bytes
+~~ total memory freed........: 6039861 bytes
 ~~ total allocations/frees...: 121494/121494
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/snapchat.pcap.out b/test/results/snapchat.pcap.out
index b93005674..734891b9c 100644
--- a/test/results/snapchat.pcap.out
+++ b/test/results/snapchat.pcap.out
@@ -30,8 +30,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6052839 bytes
-~~ total memory freed........: 6052839 bytes
+~~ total memory allocated....: 6052827 bytes
+~~ total memory freed........: 6052827 bytes
 ~~ total allocations/frees...: 121572/121572
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/snapchat_call.pcapng.out b/test/results/snapchat_call.pcapng.out
index ba729e289..627e57870 100644
--- a/test/results/snapchat_call.pcapng.out
+++ b/test/results/snapchat_call.pcapng.out
@@ -6,7 +6,7 @@
 02340{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1595865799020160,"flow_dst_last_pkt_time":1595865799037006,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1595865799037006,"pkt":"mt9Y+uvcCL6sCxduCABFAAVi60BAACUR+rISuIqOwKgMqQG7pGMFThqhw1EwNDYFw4BG53qjBuoAAAABHHnqt4ztMz51vP6XgAFSRUoABwAAAFNUSwA5AAAAU05PAG0AAABQUk9GtAAAAFNDRkc7AQAAUlJFSj8BAABTVFRMRwEAAENSVP9OBwAAbUU2ixV5Jj1qHEQQZYOHtdotUTPKCy0omzKN6SE7STZ4\/rKMxZ9\/rrj8l9tx+PhU9mRQzeJZ+1Dabp0JaMw4Ax2lLo8wBUBdtg1GpS3urBIhqVx\/8nRPLB1cTLrUpB570Ce5EPUwnKR9lOYP4jBFAiB3SpfbIfQpyAe+ZsA1KXWbSYFVXmlAhM9hKVIcNwAFzwIhAKINNKjm9Y0DRmywB4GeockL0Y3PJJ2PTHmxvqAl6rucU0NGRwYAAABBRUFECAAAAFNDSUQYAAAAUFVCUzsAAABLRVhTPwAAAE9CSVRHAAAARVhQWU8AAABBRVNHQ0MyMAO\/Pud+GiRqUM930xoSwNMgAAAzgoMwBXTcjfX\/uLgWESbe\/GDn3+Z5Wy5eude5hIrxK0MyNTUy3iwBeDJ0hdzKD01zAQAADAAAAHLO80MAAAAAAQEA6ggAAHi7IlF+sTNiZQCWXKx6Bk0smxcAyyAmJgFO2z2LJtgwHuFZfF6JuflcqgEXGwewWDpny8LMbOCDWiSJGghD0i2PS2Z6Jqg4ACVbQzWg\/8FJRBYu7OrsjFmUAwsFIwNgXkJkLSMjUNYyNAJzDVJQbYOmUQ5hLmdg+knLL8rLTIQ5gV2YJzgxryRRwTc\/Dxh4hkIGAhCXcQbnJRZAMhNUKTMPj5YeMFhzMstS9TLzDSKBwuxgHzIxQr3KzMjO7MTA0igTPiXBhk\/onni666rTEwW2GV7P0HIt5RAIXKgqHG0lyz+LaQ37Sb9X68wmMzzfpJMbI+6\/war2EINr2z3pHSav6hc3MccaNDFHokTO4rnP5H\/esvQ\/kPdi4umpS28ZPuKaj1RHBL7\/ujNAPVOn37WS752O83bRN1k7DJRB0oIsMgZSTShub+JC8gdKYcjeQKjszISUlUkGCQZ6C3QWaLVpIMpKY72UTKR8UVycnKibmpysm24IrtEw1JvgV+8DKQhdDZyBxSOkYfA3h5ERX\/GLYp5zQLABBxtbeiMPMIEaVCPltXyDXNx5DdkMA1ekvGYJc3kiSLoY1TJYkgWmWEiCRSp3StBqrCbGWjYucEl5rZKJhYmliTEXiDMZ0xnKGNyWhr4u\/TVRwWDros7ML59rBXUcS\/b99dzRuvrTn4J\/ue4MDIyF97xNnBgYWJgZ3A1cmRQZZl+WnuB1dsnif3fPXLu66NVPttQQNgnXFyeSpjbviVMPvsSkkKnJ8SbX7sSrj30mcX6\/VAWXm72+rLYpIjtI\/4Pe2rlv1IH2Krm6skeGqoRNs1+o\/\/F7btsDZbXktQe862OPNcfkPeJngtqrDrdXwUB1507jl12PbQL\/ybLt+9VWcsd2\/4OdQYxPekSfzHnGdBnksoD\/k8V3L9Lbv0bDO\/WlV93k58q8IeJ7Shd\/k5gaMNlDhaGUIXDxhq9\/GSvnhOXuMK\/o51lSdUZa\/fT3eR1Os3j\/XelmfQq11x5sr5uBC5NC2tpbFwyfLJZe8nnhYvF5pYurJx\/i93xZwbWvt+mx29md\/5kUgrJ0vgl\/6lq870XJzFvZL9lvZZeX8D\/9s4v3bXp609M\/CshlE3Mmg0EakyHDDbOtMsq6skVXu5mVPu76eNXwNe+pKj\/OfovXBece+Cifdpz8TnOjJcPFhjtTSzUqxSSAWrZv6p0iOl+y6nXK3m9XXNa84pm1qPWQefDM"}
 02314{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1595865799020160,"flow_dst_last_pkt_time":1595865799037074,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1595865799037074,"pkt":"mt9Y+uvcCL6sCxduCABFAAVi60FAACUR+rESuIqOwKgMqQG7pGMFTlWjw1EwNDYFw4BG53qjBuoAAAACYTy54mZ50XnS5MjxpAEFJgJoF8maXr+sg1zn\/py4s01uT+X8o3fm32Z\/27aBGVRqMq8xaGKaAi01uU5r7HKLe2rJUVZS8PnsMSHkxhwPsDGXSFTBCa1buYUF0POAoYKBHKRMFYfrgNSNCkH5+SWw9rKxgbGBBbT4BJamyFwql91lwAIWXmqyajeyMCgxJzGwPOJwelV+Q+XeAp2UJcLnHOYoF61k4uIzt1c029EbLPLt6sSp3p+nMfUWyh25cXr5\/Lj3C57VR00SnBac\/\/rAaft1f6Pt3VWez2LXm7Zvhf7ucIn1hUv2VljJvYi2yU4R1D5jot2zuIlREZjtZA2E4BmRw4ANSDEBW4soJSBjm4EJUkmhYaBGZEnhBCkYrUGNuQWmC4zbDHEWjLAggsQEKCIgzRMDW0iJZwas2ozYWIBMBpIKO0R1gLW2QK5OmO8FmIZd9Nmd9mHxI2npw9M32V4MRUt84P7L8a4Fzt5vSk4eXX1V3sDULG9GWLXHGtbkddWzwlXCz+T\/urc6d87xbbvenHt+qjjl9n0Wcy4Gz83289XWTuxReCHfwaf1O838hMGLS4dUlrt66L5iDPAynCJ8vzf+ltZuT5vEz5Un5qRNkpqm9aXaLGKxjqNAidTltx7bLu3uYnMtNBYwqKqaoXhXZeebOVsnsa9tPnYk60f5M9N9wvzqKZuc9ze\/LA+7zdE+xV3ka7zG+sUZPs39Cd+nNVS2ZpWpzZ3Ko8Dca\/euSiM1JW3JzeZXM0vO5vnWyrzu3XR0vZi034nPoa86LARNZAXX27Ov8M+6VCKor\/WneHv8IVFn1pxrtbeY9irN9r\/8sxwAcED2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
 01044{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":20,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":9,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865799615597,"flow_dst_last_pkt_time":1595865799120864,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3730,"flow_dst_tot_l4_payload_len":4552,"midstream":0,"thread_ts_usec":1595865799615597,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","quic": {}}}
-01874{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865802042641,"flow_dst_last_pkt_time":1595865802853531,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3902,"flow_dst_tot_l4_payload_len":5824,"midstream":0,"thread_ts_usec":1595865802853531,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":221156.5,"max":1447282,"stddev":397282.2,"var":157833134080.0,"ent":3.2,"data": [16846,68,30414,96,24231,5110,25,16,20308,29142,5531,102,7,211,2051,54351,38,19,507575,1447282,48721,53521,57932,1172660,3328,7500,379723,803486,440070,1155688,589800,0]},"pktlen": {"min":62,"avg":345.9,"max":1392,"stddev":468.5,"var":219532.9,"ent":4.0,"data": [1392,1392,1392,1392,625,78,1392,62,428,70,86,80,80,80,201,100,62,62,62,86,351,303,351,303,86,70,70,86,70,86,86,86]},"bins": {"c_to_s": [4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01872{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865802042641,"flow_dst_last_pkt_time":1595865802853531,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3902,"flow_dst_tot_l4_payload_len":5824,"midstream":0,"thread_ts_usec":1595865802853531,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":221156.5,"max":1447282,"stddev":397282.2,"var":157833134080.0,"ent":3.2,"data": [16846,68,30414,96,24231,5110,25,16,20308,29142,5531,102,7,211,2051,54351,38,19,507575,1447282,48721,53521,57932,1172660,3328,7500,379723,803486,440070,1155688,589800]},"pktlen": {"min":62,"avg":345.9,"max":1392,"stddev":468.5,"var":219532.9,"ent":4.0,"data": [1392,1392,1392,1392,625,78,1392,62,428,70,86,80,80,80,201,100,62,62,62,86,351,303,351,303,86,70,70,86,70,86,86,86]},"bins": {"c_to_s": [4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 01065{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":50,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":25,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865807298358,"flow_dst_last_pkt_time":1595865807311868,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4245,"flow_dst_tot_l4_payload_len":6427,"midstream":0,"thread_ts_usec":1595865807311868,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":50,"source":"snapchat_call.pcapng","alias":"nDPId-test","packets-captured":50,"packets-processed":50,"total-skipped-flows":0,"total-l4-payload-len":10672,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1595865807311868}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037095 bytes
-~~ total memory freed........: 6037095 bytes
+~~ total memory allocated....: 6037091 bytes
+~~ total memory freed........: 6037091 bytes
 ~~ total allocations/frees...: 121537/121537
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/snmp.pcap.out b/test/results/snmp.pcap.out
index 39cf3016b..61c702367 100644
--- a/test/results/snmp.pcap.out
+++ b/test/results/snmp.pcap.out
@@ -124,8 +124,8 @@
 ~~ total active/idle flows...: 17/17
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6063696 bytes
-~~ total memory freed........: 6063696 bytes
+~~ total memory allocated....: 6063628 bytes
+~~ total memory freed........: 6063628 bytes
 ~~ total allocations/frees...: 121717/121717
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/soap.pcap.out b/test/results/soap.pcap.out
index b14833db4..45f7df878 100644
--- a/test/results/soap.pcap.out
+++ b/test/results/soap.pcap.out
@@ -26,8 +26,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043719 bytes
-~~ total memory freed........: 6043719 bytes
+~~ total memory allocated....: 6043707 bytes
+~~ total memory freed........: 6043707 bytes
 ~~ total allocations/frees...: 121535/121535
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/socks-http-example.pcap.out b/test/results/socks-http-example.pcap.out
index 98328fd7f..413d5bc08 100644
--- a/test/results/socks-http-example.pcap.out
+++ b/test/results/socks-http-example.pcap.out
@@ -27,8 +27,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046379 bytes
-~~ total memory freed........: 6046379 bytes
+~~ total memory allocated....: 6046367 bytes
+~~ total memory freed........: 6046367 bytes
 ~~ total allocations/frees...: 121556/121556
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 503 chars
diff --git a/test/results/softether.pcap.out b/test/results/softether.pcap.out
index 630c1ab71..08bc0eced 100644
--- a/test/results/softether.pcap.out
+++ b/test/results/softether.pcap.out
@@ -79,7 +79,7 @@
 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":128,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":13,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657906405961000,"flow_dst_last_pkt_time":1657906406215000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":972,"flow_dst_tot_l4_payload_len":964,"midstream":0,"thread_ts_usec":1657906406215000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":131,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":14,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657906456047000,"flow_dst_last_pkt_time":1657906431208000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":974,"flow_dst_tot_l4_payload_len":992,"midstream":0,"thread_ts_usec":1657906456047000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00564{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":131,"source":"softether.pcap","alias":"nDPId-test","packets-captured":131,"packets-processed":130,"total-skipped-flows":0,"total-l4-payload-len":10412,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":6,"total-updates":29,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":81,"global_ts_usec":1657907318692000}
-01843{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":257000,"avg":36711136.0,"max":1566080232,"stddev":451865472.0,"var":204182401654456320.0,"ent":2.7,"data": [257000,27676000,27674000,26195000,26194000,26159000,26161000,10299000,10301000,14858000,14853000,27814000,27815000,25788000,1540291232,1566080232,18689000,18689000,5427000,5426000,27856000,27856000,26072000,26072000,26524000,26524000,24993000,24993000,25093000,862645000,887738000,0]},"pktlen": {"min":43,"avg":104.3,"max":522,"stddev":132.5,"var":17556.2,"ent":4.3,"data": [43,70,43,70,43,70,43,70,522,370,43,70,43,70,43,43,70,522,370,43,70,43,70,43,70,43,70,43,70,43,43,70]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01841{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":257000,"avg":36711136.0,"max":1566080232,"stddev":451865472.0,"var":204182401654456320.0,"ent":2.7,"data": [257000,27676000,27674000,26195000,26194000,26159000,26161000,10299000,10301000,14858000,14853000,27814000,27815000,25788000,1540291232,1566080232,18689000,18689000,5427000,5426000,27856000,27856000,26072000,26072000,26524000,26524000,24993000,24993000,25093000,862645000,887738000]},"pktlen": {"min":43,"avg":104.3,"max":522,"stddev":132.5,"var":17556.2,"ent":4.3,"data": [43,70,43,70,43,70,43,70,522,370,43,70,43,70,43,43,70,522,370,43,70,43,70,43,70,43,70,43,70,43,43,70]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":133,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":137,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":17,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907371998000,"flow_dst_last_pkt_time":1657907372252000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":977,"flow_dst_tot_l4_payload_len":1076,"midstream":0,"thread_ts_usec":1657907372252000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":141,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":19,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907422129000,"flow_dst_last_pkt_time":1657907422383000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":979,"flow_dst_tot_l4_payload_len":1132,"midstream":0,"thread_ts_usec":1657907422383000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
@@ -103,10 +103,10 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6049166 bytes
-~~ total memory freed........: 6049166 bytes
+~~ total memory allocated....: 6049142 bytes
+~~ total memory freed........: 6049142 bytes
 ~~ total allocations/frees...: 121720/121720
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 1848 chars
-~~ json string avg len.......: 1170 chars
+~~ json string max len.......: 1846 chars
+~~ json string avg len.......: 1169 chars
diff --git a/test/results/someip-tp.pcap.out b/test/results/someip-tp.pcap.out
index 95dad08ea..4604882da 100644
--- a/test/results/someip-tp.pcap.out
+++ b/test/results/someip-tp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035906 bytes
-~~ total memory freed........: 6035906 bytes
+~~ total memory allocated....: 6035902 bytes
+~~ total memory freed........: 6035902 bytes
 ~~ total allocations/frees...: 121496/121496
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/someip-udp-method-call.pcapng.out b/test/results/someip-udp-method-call.pcapng.out
index c34a71cd7..4459d1199 100644
--- a/test/results/someip-udp-method-call.pcapng.out
+++ b/test/results/someip-udp-method-call.pcapng.out
@@ -18,8 +18,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037332 bytes
-~~ total memory freed........: 6037332 bytes
+~~ total memory allocated....: 6037324 bytes
+~~ total memory freed........: 6037324 bytes
 ~~ total allocations/frees...: 121499/121499
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 509 chars
diff --git a/test/results/sql_injection.pcap.out b/test/results/sql_injection.pcap.out
index 6be5a9ce2..1cc3996a5 100644
--- a/test/results/sql_injection.pcap.out
+++ b/test/results/sql_injection.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036253 bytes
-~~ total memory freed........: 6036253 bytes
+~~ total memory allocated....: 6036249 bytes
+~~ total memory freed........: 6036249 bytes
 ~~ total allocations/frees...: 121499/121499
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/ssdp-m-search-ua.pcap.out b/test/results/ssdp-m-search-ua.pcap.out
index 0d03a0c54..1fb085ec8 100644
--- a/test/results/ssdp-m-search-ua.pcap.out
+++ b/test/results/ssdp-m-search-ua.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035769 bytes
-~~ total memory freed........: 6035769 bytes
+~~ total memory allocated....: 6035765 bytes
+~~ total memory freed........: 6035765 bytes
 ~~ total allocations/frees...: 121491/121491
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
diff --git a/test/results/ssdp-m-search.pcap.out b/test/results/ssdp-m-search.pcap.out
index 08fcdf329..064e5e8fa 100644
--- a/test/results/ssdp-m-search.pcap.out
+++ b/test/results/ssdp-m-search.pcap.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036168 bytes
-~~ total memory freed........: 6036168 bytes
+~~ total memory allocated....: 6036164 bytes
+~~ total memory freed........: 6036164 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/ssh.pcap.out b/test/results/ssh.pcap.out
index 520e507ee..c7a0e9767 100644
--- a/test/results/ssh.pcap.out
+++ b/test/results/ssh.pcap.out
@@ -9,7 +9,7 @@
 01252{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464768726,"flow_dst_last_pkt_time":1320435464768382,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":21,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":21,"flow_dst_tot_l4_payload_len":21,"midstream":0,"thread_ts_usec":1320435464768726,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"","hassh_server":""}}}
 01286{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464769196,"flow_dst_last_pkt_time":1320435464769170,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":925,"flow_dst_tot_l4_payload_len":21,"midstream":0,"thread_ts_usec":1320435464769196,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"21B457A327CE7A2D4FCE5EF2C42400BD","hassh_server":""}}}
 01321{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464769196,"flow_dst_last_pkt_time":1320435464770779,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":925,"flow_dst_tot_l4_payload_len":805,"midstream":0,"thread_ts_usec":1320435464770779,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"21B457A327CE7A2D4FCE5EF2C42400BD","hassh_server":"B1C6C0D56317555B85C7005A3DE29325"}}}
-01966{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435472330349,"flow_dst_last_pkt_time":1320435469423179,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":1885,"midstream":0,"thread_ts_usec":1320435472330349,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":394614.2,"max":2907110,"stddev":888738.9,"var":789856780288.0,"ent":2.5,"data": [26,41,8112,8146,295,788,470,140,1469,1611,306,1791,1560,1614,14729,13069,1842,42337,40496,170,257,393,251,40593,51194,91555,2632288,2632557,1868772,1869058,2907110,0]},"pktlen": {"min":66,"avg":172.7,"max":970,"stddev":230.1,"var":52961.8,"ent":4.2,"data": [78,74,66,87,66,87,66,970,66,850,66,90,218,66,210,786,66,82,66,114,66,114,66,130,66,146,66,210,66,146,66,210]},"bins": {"c_to_s": [12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01964{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435472330349,"flow_dst_last_pkt_time":1320435469423179,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":1885,"midstream":0,"thread_ts_usec":1320435472330349,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":394614.2,"max":2907110,"stddev":888738.9,"var":789856780288.0,"ent":2.5,"data": [26,41,8112,8146,295,788,470,140,1469,1611,306,1791,1560,1614,14729,13069,1842,42337,40496,170,257,393,251,40593,51194,91555,2632288,2632557,1868772,1869058,2907110]},"pktlen": {"min":66,"avg":172.7,"max":970,"stddev":230.1,"var":52961.8,"ent":4.2,"data": [78,74,66,87,66,87,66,970,66,850,66,90,218,66,210,786,66,82,66,114,66,114,66,130,66,146,66,210,66,146,66,210]},"bins": {"c_to_s": [12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 01168{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":258,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":159,"flow_dst_packets_processed":99,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435713237065,"flow_dst_last_pkt_time":1320435713237024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":5109,"flow_dst_tot_l4_payload_len":13389,"midstream":0,"thread_ts_usec":1320435713237065,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00559{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":258,"source":"ssh.pcap","alias":"nDPId-test","packets-captured":258,"packets-processed":258,"total-skipped-flows":0,"total-l4-payload-len":18498,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1320435713237065}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -20,10 +20,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045131 bytes
-~~ total memory freed........: 6045131 bytes
+~~ total memory allocated....: 6045127 bytes
+~~ total memory freed........: 6045127 bytes
 ~~ total allocations/frees...: 121749/121749
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1971 chars
-~~ json string avg len.......: 1185 chars
+~~ json string max len.......: 1969 chars
+~~ json string avg len.......: 1184 chars
diff --git a/test/results/ssl-cert-name-mismatch.pcap.out b/test/results/ssl-cert-name-mismatch.pcap.out
index 08658507e..73073825c 100644
--- a/test/results/ssl-cert-name-mismatch.pcap.out
+++ b/test/results/ssl-cert-name-mismatch.pcap.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046510 bytes
-~~ total memory freed........: 6046510 bytes
+~~ total memory allocated....: 6046506 bytes
+~~ total memory freed........: 6046506 bytes
 ~~ total allocations/frees...: 121517/121517
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 507 chars
diff --git a/test/results/starcraft_battle.pcap.out b/test/results/starcraft_battle.pcap.out
index 248c382e9..a46c8e215 100644
--- a/test/results/starcraft_battle.pcap.out
+++ b/test/results/starcraft_battle.pcap.out
@@ -73,7 +73,7 @@
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1437389964848564,"flow_dst_last_pkt_time":1437389964848509,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389964848564,"pkt":"hCYVPnXEIImEa8W6CABFAAAoFwpAAIAG68LAqAFkV\/jd\/g20AFApaAexwNDY71AQBADa8wAA"}
 01219{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964848660,"flow_dst_last_pkt_time":1437389964848509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389964848660,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"llnw.blizzard.com","http": {"url":"llnw.blizzard.com\/sc2-pod-retail\/AF11CD00\/EU\/24621.direct\/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil","code":0,"content_type":"","user_agent":"Blizzard Web Client"}}}
 01374{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964848660,"flow_dst_last_pkt_time":1437389964921004,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1437389964921004,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"llnw.blizzard.com","http": {"url":"llnw.blizzard.com\/sc2-pod-retail\/AF11CD00\/EU\/24621.direct\/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil","code":200,"content_type":"application\/octet-stream","user_agent":"Blizzard Web Client"}}}
-01944{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964979632,"flow_dst_last_pkt_time":1437389964979854,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":20440,"midstream":0,"thread_ts_usec":1437389964979854,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":12212.4,"max":72387,"stddev":23706.7,"var":562007808.0,"ent":2.8,"data": [58058,58113,96,58244,14251,72387,112,82,193,195,145,152,166,165,184,184,148,146,165,165,56805,56877,234,178,216,245,157,122,91,74,234,0]},"pktlen": {"min":54,"avg":699.5,"max":1514,"stddev":719.0,"var":516967.3,"ent":4.1,"data": [66,66,54,241,60,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514]},"bins": {"c_to_s": [15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01942{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964979632,"flow_dst_last_pkt_time":1437389964979854,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":20440,"midstream":0,"thread_ts_usec":1437389964979854,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":12212.4,"max":72387,"stddev":23706.7,"var":562007808.0,"ent":2.8,"data": [58058,58113,96,58244,14251,72387,112,82,193,195,145,152,166,165,184,184,148,146,165,165,56805,56877,234,178,216,245,157,122,91,74,234]},"pktlen": {"min":54,"avg":699.5,"max":1514,"stddev":719.0,"var":516967.3,"ent":4.1,"data": [66,66,54,241,60,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514]},"bins": {"c_to_s": [15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":234,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389967432431,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967432431,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389967432431,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"12.129.222.54","src_port":3512,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":234,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967432431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389967432431,"pkt":"hCYVPnXEIImEa8W6CABFAAA0U2dAAIAG+pjAqAFkDIHeNg24AFDXJA2NAAAAAIACIACvkgAAAgQFtAEDAwgBAQQC"}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":235,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967630455,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389967630455,"pkt":"IImEa8W6hCYVPnXECABFAAA0AABAAC0GoQAMgd42wKgBZABQDbj6JMXG1yQNjoASFtD4xgAAAgQFtAEBBAIBAwMH"}
@@ -163,7 +163,7 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":335,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1437389982269189,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1437389982326953,"pkt":"IImEa8W6hCYVPnXECABFAAAsAABAADMGertQ77oVwKgBZABQDb8Q\/FwJfHOL6GASOQgOjQAAAgQFtAAA"}
 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":336,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1437389982327018,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389982327018,"pkt":"hCYVPnXEIImEa8W6CABFAAAoREtAAIAG6XPAqAFkUO+6FQ2\/AFB8c4voEPxcClAQ+vBkYQAA"}
 01035{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":337,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389982269189,"flow_src_last_pkt_time":1437389982327086,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":200,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982327086,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.186.21","src_port":3519,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"eu.launcher.battle.net","http": {"url":"eu.launcher.battle.net\/service\/s2\/alert\/en-gb","code":0,"content_type":"","user_agent":"Battle.net Web Client"}}}
-01682{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1437389982130449,"flow_src_last_pkt_time":1437389982733601,"flow_dst_last_pkt_time":1437389982710820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":743,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":1074,"midstream":0,"thread_ts_usec":1437389982733601,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"213.248.127.130","src_port":3517,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":38178.2,"max":166321,"stddev":53269.1,"var":2837592064.0,"ent":3.6,"data": [52549,52614,94628,145687,24327,95105,95914,166321,70940,49609,160290,31197,128649,15235,41,28,25,24,29,35,25,23,24,30,27,23,28,23,22,29,22,0]},"pktlen": {"min":54,"avg":116.4,"max":797,"stddev":136.0,"var":18494.5,"ent":4.5,"data": [66,60,54,156,60,797,54,234,317,54,249,60,122,56,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77]},"bins": {"c_to_s": [23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
+01680{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1437389982130449,"flow_src_last_pkt_time":1437389982733601,"flow_dst_last_pkt_time":1437389982710820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":743,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":1074,"midstream":0,"thread_ts_usec":1437389982733601,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"213.248.127.130","src_port":3517,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":38178.2,"max":166321,"stddev":53269.1,"var":2837592064.0,"ent":3.6,"data": [52549,52614,94628,145687,24327,95105,95914,166321,70940,49609,160290,31197,128649,15235,41,28,25,24,29,35,25,23,24,30,27,23,28,23,22,29,22]},"pktlen": {"min":54,"avg":116.4,"max":797,"stddev":136.0,"var":18494.5,"ent":4.5,"data": [66,60,54,156,60,797,54,234,317,54,249,60,122,56,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77]},"bins": {"c_to_s": [23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":377,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389982769377,"flow_src_last_pkt_time":1437389982769377,"flow_dst_last_pkt_time":1437389982769377,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982769377,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"5.42.180.154","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1437389982769377,"flow_dst_last_pkt_time":1437389982769377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":44,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":44,"pkt_l4_len":10,"thread_ts_usec":1437389982769377,"pkt":"hCYVPnXEIImEa8W6CABFAAAeGS0AAIARpdHAqAFkBSq0ms+aBF8ACqcOCQE="}
 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":378,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982769429,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982769429,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -249,7 +249,7 @@
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":686,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1437389985925643,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389985962002,"pkt":"IImEa8W6hCYVPnXECABFAAA0AABAADkGTmQC5C5wwKgBZABQDc1+R6dFIysb3oASOQjP5wAAAgQFtAEBBAIBAwMF"}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":687,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_src_last_pkt_time":1437389985962022,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389985962022,"pkt":"hCYVPnXEIImEa8W6CABFAAAoLPpAAIAG2nXAqAFkAuQucA3NAFAjKxvefkenRlAQAQBIwAAA"}
 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":688,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389985925643,"flow_src_last_pkt_time":1437389985962058,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":146,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":146,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389985962058,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3533,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"bnetcmsus-a.akamaihd.net","http": {"url":"bnetcmsus-a.akamaihd.net\/cms\/bnet_header\/mf\/MFTH8TS42HKX1430183778319.jpg","code":0,"content_type":"","user_agent":"Battle.net Web Client"}}}
-01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":791,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1437389985891466,"flow_src_last_pkt_time":1437389985995179,"flow_dst_last_pkt_time":1437389985995168,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":26280,"midstream":0,"thread_ts_usec":1437389985995179,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":6690.8,"max":34324,"stddev":13000.1,"var":169003376.0,"ent":2.9,"data": [32476,32510,1623,34324,1138,65,33880,153,130,283,141,278,419,213,122,339,108,139,244,139,597,734,100,131,232,130,134,265,32899,285,33184,0]},"pktlen": {"min":54,"avg":880.8,"max":1514,"stddev":718.4,"var":516058.3,"ent":4.4,"data": [66,66,54,203,60,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54]},"bins": {"c_to_s": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":791,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1437389985891466,"flow_src_last_pkt_time":1437389985995179,"flow_dst_last_pkt_time":1437389985995168,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":26280,"midstream":0,"thread_ts_usec":1437389985995179,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":6690.8,"max":34324,"stddev":13000.1,"var":169003376.0,"ent":2.9,"data": [32476,32510,1623,34324,1138,65,33880,153,130,283,141,278,419,213,122,339,108,139,244,139,597,734,100,131,232,130,134,265,32899,285,33184]},"pktlen": {"min":54,"avg":880.8,"max":1514,"stddev":718.4,"var":516058.3,"ent":4.4,"data": [66,66,54,203,60,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54]},"bins": {"c_to_s": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00875{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982825686,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","ndpi": {"confidence": {"1":"Match by port"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}}
 00766{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982825686,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00877{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389961548711,"flow_src_last_pkt_time":1437389961548711,"flow_dst_last_pkt_time":1437389961598805,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"64.233.184.188","src_port":2759,"dst_port":5228,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Google","proto_id":"126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
@@ -324,10 +324,10 @@
 ~~ total active/idle flows...: 52/52
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6170633 bytes
-~~ total memory freed........: 6170633 bytes
+~~ total memory allocated....: 6170425 bytes
+~~ total memory freed........: 6170425 bytes
 ~~ total allocations/frees...: 122884/122884
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 202 chars
-~~ json string max len.......: 1949 chars
-~~ json string avg len.......: 1075 chars
+~~ json string max len.......: 1947 chars
+~~ json string avg len.......: 1074 chars
diff --git a/test/results/steam.pcap.out b/test/results/steam.pcap.out
index 7395ad60f..3613aa449 100644
--- a/test/results/steam.pcap.out
+++ b/test/results/steam.pcap.out
@@ -270,8 +270,8 @@
 ~~ total active/idle flows...: 55/55
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6126573 bytes
-~~ total memory freed........: 6126573 bytes
+~~ total memory allocated....: 6126353 bytes
+~~ total memory freed........: 6126353 bytes
 ~~ total allocations/frees...: 122131/122131
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/steam_datagram_relay_ping.pcapng.out b/test/results/steam_datagram_relay_ping.pcapng.out
index 358e45ae8..242a6ca8e 100644
--- a/test/results/steam_datagram_relay_ping.pcapng.out
+++ b/test/results/steam_datagram_relay_ping.pcapng.out
@@ -14,8 +14,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035703 bytes
-~~ total memory freed........: 6035703 bytes
+~~ total memory allocated....: 6035699 bytes
+~~ total memory freed........: 6035699 bytes
 ~~ total allocations/frees...: 121489/121489
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 512 chars
diff --git a/test/results/stun.pcap.out b/test/results/stun.pcap.out
index 2857af3bf..bf0a40b97 100644
--- a/test/results/stun.pcap.out
+++ b/test/results/stun.pcap.out
@@ -7,7 +7,7 @@
 00995{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938042789437,"flow_dst_last_pkt_time":1614938042793385,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":132,"midstream":0,"thread_ts_usec":1614938042793385,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"","stun": {"num_pkts":3,"num_binding_requests":4,"num_processed_pkts":3}}}
 00953{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":15,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":7,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938072959021,"flow_dst_last_pkt_time":1614938072965856,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":140,"flow_dst_tot_l4_payload_len":308,"midstream":0,"thread_ts_usec":1614938072965856,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00955{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":25,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938123200754,"flow_dst_last_pkt_time":1614938123207596,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":528,"midstream":0,"thread_ts_usec":1614938123207596,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01864{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938163424247,"flow_dst_last_pkt_time":1614938163431063,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":320,"flow_dst_tot_l4_payload_len":704,"midstream":0,"thread_ts_usec":1614938163431063,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2867,"avg":9105286.0,"max":10358549,"stddev":2980037.5,"var":8880623976448.0,"ent":4.8,"data": [6861,10132226,10132257,10358549,2935,10358540,2867,10055433,10055494,10056921,10056927,10057230,10057183,10053930,10053957,10069481,10069496,10027109,10027105,10027261,10027286,10063952,10063896,10098322,10098363,10035461,10035403,10061356,10061442,10028354,10028259,0]},"pktlen": {"min":82,"avg":94.0,"max":106,"stddev":12.0,"var":144.0,"ent":5.0,"data": [82,106,82,106,82,82,106,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01862{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938163424247,"flow_dst_last_pkt_time":1614938163431063,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":320,"flow_dst_tot_l4_payload_len":704,"midstream":0,"thread_ts_usec":1614938163431063,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2867,"avg":9105286.0,"max":10358549,"stddev":2980037.5,"var":8880623976448.0,"ent":4.8,"data": [6861,10132226,10132257,10358549,2935,10358540,2867,10055433,10055494,10056921,10056927,10057230,10057183,10053930,10053957,10069481,10069496,10027109,10027105,10027261,10027286,10063952,10063896,10098322,10098363,10035461,10035403,10061356,10061442,10028354,10028259]},"pktlen": {"min":82,"avg":94.0,"max":106,"stddev":12.0,"var":144.0,"ent":5.0,"data": [82,106,82,106,82,82,106,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00955{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":35,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":17,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938173452831,"flow_dst_last_pkt_time":1614938173459694,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":340,"flow_dst_tot_l4_payload_len":748,"midstream":0,"thread_ts_usec":1614938173459694,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":43,"source":"stun.pcap","alias":"nDPId-test","packets-captured":43,"packets-processed":42,"total-skipped-flows":0,"total-l4-payload-len":1344,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":3,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1629291451242856}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":43,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451242856,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1629291451242856,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -15,7 +15,7 @@
 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1629291451254377,"pkt":"mt9Y+uvcCL6sCxduCABFAACER+pAAFURmuofDVY2wKgMqZxDlOsAcMgPARMAVCESpEJBSzdRUHlQSzlldVYACQAQAAAEAXVuYXV0aG9yaXplZAAVAChiYjAzMWQ2MWNjYzFiZTgyZTI0MDE0NDM1ZWQ1MmYyNmZiYTYyNDgzABQAD3R1cm5lci5mYWNlYm9vawA="}
 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":104,"midstream":0,"thread_ts_usec":1629291451254377,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"turner.facebook","stun": {"num_pkts":2,"num_binding_requests":0,"num_processed_pkts":1}}}
 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1629291451258494,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":178,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":178,"pkt_l4_len":144,"thread_ts_usec":1629291451258494,"pkt":"CL6sCxdumt9Y+uvcCABFAACkVYNAAEARojHAqAypHw1WNpTrnEMAkHyWAAMAdCESpEI1elVqTVhIdmV3K3MAGQAEEQAAAAAGABBNZjJoOUhpNWFQTVJwbEYxABQAD3R1cm5lci5mYWNlYm9vawAAFQAoYmIwMzFkNjFjY2MxYmU4MmUyNDAxNDQzNWVkNTJmMjZmYmE2MjQ4MwAIABSHhqaIN2rgJVJbblyGsNjNga5wAA=="}
-01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":74,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291458067482,"flow_dst_last_pkt_time":1629291458262623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":140,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":1496,"midstream":0,"thread_ts_usec":1629291458262623,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":446593.3,"max":6004359,"stddev":1462539.6,"var":2139022032896.0,"ent":1.9,"data": [11521,15638,15947,6004359,4743,5997443,4483,7520,7140,108439,344493,499169,68464,195,19689,29038,92171,23636,96419,1566,50324,48303,277,50092,3265,34,52919,437,9663,44853,232153,0]},"pktlen": {"min":70,"avg":153.6,"max":182,"stddev":32.1,"var":1033.4,"ent":5.0,"data": [70,146,178,118,182,182,154,182,154,86,178,178,174,182,142,86,178,142,174,142,178,174,142,178,142,174,142,182,142,86,174,174]},"bins": {"c_to_s": [1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":74,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291458067482,"flow_dst_last_pkt_time":1629291458262623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":140,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":1496,"midstream":0,"thread_ts_usec":1629291458262623,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":446593.3,"max":6004359,"stddev":1462539.6,"var":2139022032896.0,"ent":1.9,"data": [11521,15638,15947,6004359,4743,5997443,4483,7520,7140,108439,344493,499169,68464,195,19689,29038,92171,23636,96419,1566,50324,48303,277,50092,3265,34,52919,437,9663,44853,232153]},"pktlen": {"min":70,"avg":153.6,"max":182,"stddev":32.1,"var":1033.4,"ent":5.0,"data": [70,146,178,118,182,182,154,182,154,86,178,178,174,182,142,86,178,142,174,142,178,174,142,178,142,174,142,182,142,86,174,174]},"bins": {"c_to_s": [1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00954{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":114,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":21,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938213778839,"flow_dst_last_pkt_time":1614938213785682,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":924,"midstream":0,"thread_ts_usec":1629291461216501,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":118,"source":"stun.pcap","alias":"nDPId-test","packets-captured":118,"packets-processed":117,"total-skipped-flows":0,"total-l4-payload-len":8748,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":3,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1643626018009166}
 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":118,"source":"stun.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643626018009166,"flow_src_last_pkt_time":1643626018009166,"flow_dst_last_pkt_time":1643626018009166,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643626018009166,"l3_proto":"ip4","src_ip":"87.47.100.17","dst_ip":"54.1.57.155","src_port":3478,"dst_port":37257,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -30,7 +30,7 @@
 00616{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":139,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1647958145472010,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":1647958145494943,"pkt":"mt9Y+uvcCL6sCxduCABFgAB4CTMAAGgRmhOO+lJjwKgMqQ2WwAEAZP2fAQEASCESpEJ3bGtZRHRGSndEMi8ABgAVVlVBazZBeTdodnVMbkxHTzp0eUd1AAAAACAACAABDpd8PUUEAAgAFMkvMxJ2ZVgNos4I+G8Cki6KP0KSgCgABEOVy9w="}
 00698{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1647958145497647,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":195,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":195,"pkt_l4_len":161,"thread_ts_usec":1647958145497647,"pkt":"CL6sCxdumt9Y+uvcCABFAAC1XMZAAEARLsPAqAypjvpSY8ABDZYAoaIVFv7\/AAAAAAAAAAAAjAEAAIAAAAAAAAAAgP791X1ylaTuNVSstdiIoIYfSIMff5WF4WIe0fPoTt2GU88AAAAWwCvAL8ypzKjACcATwArAFACcAC8ANQEAAEAAFwAA\/wEAAQAACgAIAAYAHQAXABgACwACAQAAIwAAAA0AFAASBAMIBAQBBQMIBQUBCAYGAQIBAA4ABQACAAEA"}
 00970{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":141,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958145516401,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":108,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":373,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1647958145516401,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":3,"num_binding_requests":2,"num_processed_pkts":3}}}
-01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":169,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147569135,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2034,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147569135,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":131323.2,"max":835905,"stddev":227053.5,"var":51553292288.0,"ent":3.4,"data": [22933,25637,18754,26966,8994,16545,8218,21,95990,9415,96088,13935,9667,14034,28,10,28365,12045,233249,17389,835905,625348,352669,699812,203670,550729,72132,9045,20632,28113,14681,0]},"pktlen": {"min":76,"avg":193.2,"max":1240,"stddev":221.3,"var":48965.1,"ent":4.5,"data": [150,134,195,154,1240,588,134,123,612,123,154,159,175,134,155,107,111,107,127,76,107,154,134,76,124,154,134,108,108,109,109,109]},"bins": {"c_to_s": [0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":169,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147569135,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2034,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147569135,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":131323.2,"max":835905,"stddev":227053.5,"var":51553292288.0,"ent":3.4,"data": [22933,25637,18754,26966,8994,16545,8218,21,95990,9415,96088,13935,9667,14034,28,10,28365,12045,233249,17389,835905,625348,352669,699812,203670,550729,72132,9045,20632,28113,14681]},"pktlen": {"min":76,"avg":193.2,"max":1240,"stddev":221.3,"var":48965.1,"ent":4.5,"data": [150,134,195,154,1240,588,134,123,612,123,154,159,175,134,155,107,111,107,127,76,107,154,134,76,124,154,134,108,108,109,109,109]},"bins": {"c_to_s": [0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":170,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147591534,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2100,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147591534,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":170,"source":"stun.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":11,"flow_first_seen":1643626018009166,"flow_src_last_pkt_time":1643626018957379,"flow_dst_last_pkt_time":1643626018908035,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1647958147591534,"l3_proto":"ip4","src_ip":"87.47.100.17","dst_ip":"54.1.57.155","src_port":3478,"dst_port":37257,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":170,"source":"stun.pcap","alias":"nDPId-test","packets-captured":170,"packets-processed":170,"total-skipped-flows":0,"total-l4-payload-len":15998,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":3,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1647958147591534}
@@ -42,10 +42,10 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6055739 bytes
-~~ total memory freed........: 6055739 bytes
+~~ total memory allocated....: 6055723 bytes
+~~ total memory freed........: 6055723 bytes
 ~~ total allocations/frees...: 121690/121690
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1891 chars
-~~ json string avg len.......: 1189 chars
+~~ json string max len.......: 1889 chars
+~~ json string avg len.......: 1188 chars
diff --git a/test/results/stun_signal.pcapng.out b/test/results/stun_signal.pcapng.out
index aa033f675..3618d7b74 100644
--- a/test/results/stun_signal.pcapng.out
+++ b/test/results/stun_signal.pcapng.out
@@ -67,11 +67,11 @@
 00590{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378136,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":1636901958378136,"pkt":"mt9Y+uvcCL6sCxduCABFSABcrnFAAAMRZTQSw4OPwKgMqe7kqDwASOO3AQEALCESpEJyRHdyaGtEci8vOWUAIAAIAAEPmHw9RVEACAAUZTe+q2TI1x26\/6LLBdUUDVZaZoOAKAAEsQfEQQ=="}
 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378173,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636901958378173,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8rnJAAAMRZRMSw4OPwKgMqe7kqDwAaODiAAEATCESpEJ2dFg5dWZIQUdCakMABgAJbU53cTpXSnN1AAAAwFcABAADA4SAKQAIQYCdgvFBqWUAJAAEbn8g\/wAIABSzQMYtF7YKfV2BCR2ZgRKFjKrZ7YAoAASRLc2k"}
 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378173,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":160,"midstream":0,"thread_ts_usec":1636901958378173,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","stun": {"num_pkts":3,"num_binding_requests":2,"num_processed_pkts":3}}}
-01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901960601813,"flow_dst_last_pkt_time":1636901960620966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":1012,"midstream":0,"thread_ts_usec":1636901960620966,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":149493.4,"max":679364,"stddev":200828.1,"var":40331911168.0,"ent":3.9,"data": [83894,37,92476,7793,46066,91419,25,37867,39955,9097,41868,367689,125,441001,43,600796,610250,117949,49918,49758,64212,212886,679364,8747,45,503798,102888,200994,101814,9344,62177,0]},"pktlen": {"min":70,"avg":105.9,"max":146,"stddev":24.9,"var":621.5,"ent":5.0,"data": [138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,98,98,138,106,70,98,70,70,70,138,106,98,70,98]},"bins": {"c_to_s": [4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901960601813,"flow_dst_last_pkt_time":1636901960620966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":1012,"midstream":0,"thread_ts_usec":1636901960620966,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":149493.4,"max":679364,"stddev":200828.1,"var":40331911168.0,"ent":3.9,"data": [83894,37,92476,7793,46066,91419,25,37867,39955,9097,41868,367689,125,441001,43,600796,610250,117949,49918,49758,64212,212886,679364,8747,45,503798,102888,200994,101814,9344,62177]},"pktlen": {"min":70,"avg":105.9,"max":146,"stddev":24.9,"var":621.5,"ent":5.0,"data": [138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,98,98,138,106,70,98,70,70,70,138,106,98,70,98]},"bins": {"c_to_s": [4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00888{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":201,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901964741654,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901966826937,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":208,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1636901956900169,"flow_src_last_pkt_time":1636901967279945,"flow_dst_last_pkt_time":1636901957525218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":60,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1636901967279945,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","stun": {"num_pkts":2,"num_binding_requests":2,"num_processed_pkts":2}}}
 01112{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1636901956921410,"flow_src_last_pkt_time":1636901967553880,"flow_dst_last_pkt_time":1636901967684533,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":96,"midstream":0,"thread_ts_usec":1636901967684533,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39950,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":3,"num_binding_requests":4,"num_processed_pkts":3}}}
-01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901980739508,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1760,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901980739508,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1596705.0,"max":17079364,"stddev":3547473.5,"var":12584568750080.0,"ent":2.8,"data": [4084,63003,42,180775,3510,1499231,2002773,15,4841966,76,17079364,30045,28084,9989,178591,30710,1472432,2000483,30998,3968781,29896,37348,7808,7927339,28492,35381,6539,7931223,29238,34577,5065,0]},"pktlen": {"min":90,"avg":95.5,"max":138,"stddev":11.6,"var":133.8,"ent":5.0,"data": [90,90,98,98,90,90,90,90,90,138,138,90,90,98,98,90,90,90,90,90,90,90,98,98,90,90,98,98,90,90,98,98]},"bins": {"c_to_s": [0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901980739508,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1760,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901980739508,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1596705.0,"max":17079364,"stddev":3547473.5,"var":12584568750080.0,"ent":2.8,"data": [4084,63003,42,180775,3510,1499231,2002773,15,4841966,76,17079364,30045,28084,9989,178591,30710,1472432,2000483,30998,3968781,29896,37348,7808,7927339,28492,35381,6539,7931223,29238,34577,5065]},"pktlen": {"min":90,"avg":95.5,"max":138,"stddev":11.6,"var":133.8,"ent":5.0,"data": [90,90,98,98,90,90,90,90,90,138,138,90,90,98,98,90,90,90,90,90,90,90,98,98,90,90,98,98,90,90,98,98]},"bins": {"c_to_s": [0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01058{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1636901936065479,"flow_src_last_pkt_time":1636901939886818,"flow_dst_last_pkt_time":1636901936065479,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636901987911616,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00773{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1636901936040699,"flow_src_last_pkt_time":1636901936292790,"flow_dst_last_pkt_time":1636901936667023,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1636901987911616,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47204,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 01058{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1636901936070410,"flow_src_last_pkt_time":1636901939887803,"flow_dst_last_pkt_time":1636901936070410,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636901987911616,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -123,7 +123,7 @@
 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1636902000024715,"flow_dst_last_pkt_time":1636902000107063,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636902000107063,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8w7NAAAYRTNISw4OPwKgMqdMmupcAaK01AAEATCESpEJBbDNpSTF1eStSR1UABgAJN2tzczoxRVpzAAAAwFcABAAAA+eAKQAIiflXHs5q0dMAJAAEbgAg\/wAIABQSmjpLVWLcQ98KImy+h9G3RC6S1IAoAATBitk4"}
 00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1636902000073738,"flow_dst_last_pkt_time":1636902000142220,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":1636902000142220,"pkt":"mt9Y+uvcCL6sCxduCABFAABcw7ZAAAYRTTcSw4OPwKgMqfA6upcASKsWAQEALCESpEI3OHB2NXh3VHhSY2IAIAAIAAEPjnw9RVEACAAUJEyhW79\/NO7EtgfmN47ncd2\/SCyAKAAE6dNIHg=="}
 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1636902000073738,"flow_dst_last_pkt_time":1636902000142270,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636902000142270,"pkt":"mt9Y+uvcCL6sCxduCABFAAB8w7dAAAYRTRYSw4OPwKgMqfA6upcAaP5PAAEATCESpEIwbFM2UjdmdjFzOTMABgAJN2tzczoxRVpzAAAAwFcABAADA4SAKQAIiflXHs5q0dMAJAAEbn8g\/wAIABT+u0FmMYg2qxKb1bY78Qe06uM1KoAoAAQrkPMA"}
-01888{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":393,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636902000073738,"flow_src_last_pkt_time":1636902002442030,"flow_dst_last_pkt_time":1636902002440493,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1068,"flow_dst_tot_l4_payload_len":1052,"midstream":0,"thread_ts_usec":1636902002442030,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":152743.5,"max":665020,"stddev":189167.3,"var":35784253440.0,"ent":4.0,"data": [68482,50,70303,29273,44732,113365,45,43187,26522,8477,31033,313588,306,410657,43,665020,630540,122450,190474,61616,378076,7868,325508,42160,76005,424878,96788,5410,434339,47676,66176,0]},"pktlen": {"min":70,"avg":108.2,"max":146,"stddev":24.6,"var":605.9,"ent":5.0,"data": [138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,138,106,98,98,70,70,70,98,138,98,70,106,138,106]},"bins": {"c_to_s": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":393,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636902000073738,"flow_src_last_pkt_time":1636902002442030,"flow_dst_last_pkt_time":1636902002440493,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1068,"flow_dst_tot_l4_payload_len":1052,"midstream":0,"thread_ts_usec":1636902002442030,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":152743.5,"max":665020,"stddev":189167.3,"var":35784253440.0,"ent":4.0,"data": [68482,50,70303,29273,44732,113365,45,43187,26522,8477,31033,313588,306,410657,43,665020,630540,122450,190474,61616,378076,7868,325508,42160,76005,424878,96788,5410,434339,47676,66176]},"pktlen": {"min":70,"avg":108.2,"max":146,"stddev":24.6,"var":605.9,"ent":5.0,"data": [138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,138,106,98,98,70,70,70,98,138,98,70,106,138,106]},"bins": {"c_to_s": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00933{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":423,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":11,"flow_first_seen":1636901956930390,"flow_src_last_pkt_time":1636901987891969,"flow_dst_last_pkt_time":1636901987908068,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":820,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1636902006440608,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 01058{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":423,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":0,"flow_first_seen":1636901956899977,"flow_src_last_pkt_time":1636901980718780,"flow_dst_last_pkt_time":1636901956899977,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":384,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636902006440608,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 01064{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":423,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1636901956900169,"flow_src_last_pkt_time":1636901977907336,"flow_dst_last_pkt_time":1636901978278487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":192,"midstream":0,"thread_ts_usec":1636902006440608,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -165,10 +165,10 @@
 ~~ total active/idle flows...: 23/23
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6093165 bytes
-~~ total memory freed........: 6093165 bytes
+~~ total memory allocated....: 6093073 bytes
+~~ total memory freed........: 6093073 bytes
 ~~ total allocations/frees...: 122175/122175
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
-~~ json string max len.......: 1893 chars
-~~ json string avg len.......: 1194 chars
+~~ json string max len.......: 1891 chars
+~~ json string avg len.......: 1193 chars
diff --git a/test/results/syncthing.pcap.out b/test/results/syncthing.pcap.out
index e403210b5..22f282fd6 100644
--- a/test/results/syncthing.pcap.out
+++ b/test/results/syncthing.pcap.out
@@ -42,8 +42,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6041403 bytes
-~~ total memory freed........: 6041403 bytes
+~~ total memory allocated....: 6041387 bytes
+~~ total memory freed........: 6041387 bytes
 ~~ total allocations/frees...: 121547/121547
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/synscan.pcap.out b/test/results/synscan.pcap.out
index 5a456843c..9f0f256c4 100644
--- a/test/results/synscan.pcap.out
+++ b/test/results/synscan.pcap.out
@@ -7996,8 +7996,8 @@
 ~~ total active/idle flows...: 1994/1994
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 9338588 bytes
-~~ total memory freed........: 9338588 bytes
+~~ total memory allocated....: 9330612 bytes
+~~ total memory freed........: 9330612 bytes
 ~~ total allocations/frees...: 143430/143430
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/syslog.pcap.out b/test/results/syslog.pcap.out
index 7dd3281fd..3dd1a45ee 100644
--- a/test/results/syslog.pcap.out
+++ b/test/results/syslog.pcap.out
@@ -142,8 +142,8 @@
 ~~ total active/idle flows...: 19/19
 ~~ total timeout flows.......: 2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6069745 bytes
-~~ total memory freed........: 6069745 bytes
+~~ total memory allocated....: 6069669 bytes
+~~ total memory freed........: 6069669 bytes
 ~~ total allocations/frees...: 121763/121763
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 184 chars
diff --git a/test/results/targusdataspeed_false_positives.pcap.out b/test/results/targusdataspeed_false_positives.pcap.out
index 10f5a461b..1b805f742 100644
--- a/test/results/targusdataspeed_false_positives.pcap.out
+++ b/test/results/targusdataspeed_false_positives.pcap.out
@@ -18,8 +18,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6299629 bytes
-~~ total memory freed........: 6299629 bytes
+~~ total memory allocated....: 6299621 bytes
+~~ total memory freed........: 6299621 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 516 chars
diff --git a/test/results/teams.pcap.out b/test/results/teams.pcap.out
index 550a44409..dbe0d9acc 100644
--- a/test/results/teams.pcap.out
+++ b/test/results/teams.pcap.out
@@ -34,7 +34,7 @@
 01058{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676449862,"flow_dst_last_pkt_time":1587041676448366,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676449862,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01380{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676464401,"flow_dst_last_pkt_time":1587041676464459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6025,"midstream":0,"thread_ts_usec":1587041676464459,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}}
 01177{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676499766,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
-01547{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6449.2,"max":29755,"stddev":8827.8,"var":77930416.0,"ent":3.7,"data": [12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537,0]},"pktlen": {"min":54,"avg":407.9,"max":1506,"stddev":548.1,"var":300365.6,"ent":3.9,"data": [78,66,54,264,60,1506,1506,54,1506,54,1506,271,54,212,60,380,54,123,54,147,92,312,92,60,54,60,570,54,1506,1506,685,54]},"bins": {"c_to_s": [10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0]}}
+01545{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6449.2,"max":29755,"stddev":8827.8,"var":77930416.0,"ent":3.7,"data": [12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537]},"pktlen": {"min":54,"avg":407.9,"max":1506,"stddev":548.1,"var":300365.6,"ent":3.9,"data": [78,66,54,264,60,1506,1506,54,1506,54,1506,271,54,212,60,380,54,123,54,147,92,312,92,60,54,60,570,54,1506,1506,685,54]},"bins": {"c_to_s": [10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0]}}
 01383{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}}
 01709{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676545644,"flow_dst_last_pkt_time":1587041676545713,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041676545713,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":64,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041676611249}
@@ -45,7 +45,7 @@
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1587041676642755,"flow_dst_last_pkt_time":1587041676642642,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041676642755,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR5PAqAEGKH4JBex2AbukS07qokMa3IAQEAn5EwAAAQEICjCEmIFVAL3h"}
 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676642642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676643404,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01123{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041676675374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
-01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":32055.5,"max":221245,"stddev":54144.2,"var":2931591680.0,"ent":3.4,"data": [43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3,0]},"pktlen": {"min":66,"avg":921.9,"max":1506,"stddev":687.5,"var":472618.5,"ent":4.5,"data": [78,74,66,240,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494]},"bins": {"c_to_s": [5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0]}}
+01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":32055.5,"max":221245,"stddev":54144.2,"var":2931591680.0,"ent":3.4,"data": [43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3]},"pktlen": {"min":66,"avg":921.9,"max":1506,"stddev":687.5,"var":472618.5,"ent":4.5,"data": [78,74,66,240,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494]},"bins": {"c_to_s": [5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0]}}
 01714{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}}
 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677042751,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041677042751,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIex3AbvbPWM6AAAAALAC\/\/\/8iwAAAgQFtAEDAwUBAQgKMISaAAAAAAAEAgAA"}
@@ -58,8 +58,8 @@
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":177,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1587041677255227,"flow_dst_last_pkt_time":1587041677255126,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041677255227,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOx4Abt\/TkvWpItVFFAQIAAkOAAA"}
 01059{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":178,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677255452,"flow_dst_last_pkt_time":1587041677255126,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":214,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":214,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677255452,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01381{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677269406,"flow_dst_last_pkt_time":1587041677269476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":214,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":214,"flow_dst_tot_l4_payload_len":6025,"midstream":0,"thread_ts_usec":1587041677269476,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}}
-01841{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":216,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677328754,"flow_dst_last_pkt_time":1587041677327352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":15383,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041677328754,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18406.6,"max":49836,"stddev":21194.3,"var":449200096.0,"ent":3.9,"data": [45263,45409,339,49216,21,48838,224,177,1271,46526,45316,1920,4,2,47729,45783,4,2,3,37748,37711,4,8018,8058,5,734,37027,7756,4339,49836,1321,0]},"pktlen": {"min":66,"avg":694.6,"max":1506,"stddev":673.1,"var":453031.8,"ent":4.2,"data": [78,74,66,272,1506,1389,78,1506,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,839,66,66,66,511,66,97]},"bins": {"c_to_s": [7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}}
-01540{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":5148.5,"max":50397,"stddev":9740.5,"var":94877928.0,"ent":3.3,"data": [11421,11522,225,11256,2751,92,13830,124,124,124,3,141,4803,15532,11803,1342,15,233,10,306,235,4,56,10886,31,10351,1699,244,14,50397,30,0]},"pktlen": {"min":54,"avg":430.0,"max":1506,"stddev":569.7,"var":324516.5,"ent":3.9,"data": [78,66,54,268,60,1506,1506,54,1506,54,1506,271,54,212,60,147,380,123,54,54,92,1494,1061,138,60,92,54,60,60,60,1506,1069]},"bins": {"c_to_s": [8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1]}}
+01839{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":216,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677328754,"flow_dst_last_pkt_time":1587041677327352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":15383,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041677328754,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18406.6,"max":49836,"stddev":21194.3,"var":449200096.0,"ent":3.9,"data": [45263,45409,339,49216,21,48838,224,177,1271,46526,45316,1920,4,2,47729,45783,4,2,3,37748,37711,4,8018,8058,5,734,37027,7756,4339,49836,1321]},"pktlen": {"min":66,"avg":694.6,"max":1506,"stddev":673.1,"var":453031.8,"ent":4.2,"data": [78,74,66,272,1506,1389,78,1506,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,839,66,66,66,511,66,97]},"bins": {"c_to_s": [7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}}
+01538{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":5148.5,"max":50397,"stddev":9740.5,"var":94877928.0,"ent":3.3,"data": [11421,11522,225,11256,2751,92,13830,124,124,124,3,141,4803,15532,11803,1342,15,233,10,306,235,4,56,10886,31,10351,1699,244,14,50397,30]},"pktlen": {"min":54,"avg":430.0,"max":1506,"stddev":569.7,"var":324516.5,"ent":3.9,"data": [78,66,54,268,60,1506,1506,54,1506,54,1506,271,54,212,60,147,380,123,54,54,92,1494,1061,138,60,92,54,60,60,60,1506,1069]},"bins": {"c_to_s": [8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1]}}
 01385{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}}
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":403,"source":"teams.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1587041677380886,"flow_dst_last_pkt_time":1587041673094451,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041677380886,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGPCzAqAEGlZqnW+SlAbsZTPC8DAoX91AUECaMmwAA"}
 00187{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":607,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041677408485}
@@ -191,7 +191,7 @@
 01068{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1212,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682744342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682744658,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01348{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1213,"source":"teams.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":3,"flow_src_last_pkt_time":1587041682740607,"flow_dst_last_pkt_time":1587041682745381,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":665,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":665,"pkt_l4_len":631,"thread_ts_usec":1587041682745381,"pkt":"EBMx8Tl2KDc3AG3ICABFAAKLAABAAEAGwL7AqAEGon0Tg+u4AbuLprsOEqsiiIAYEAA0LgAAAQEICjCEr+ORzaKrFwMDAlK2BaXSajSAVWEKj3frXxijYpT3GD2Cuos6bxaeeEb0O6UJhzmzPZI\/SWy+fgBnTfneCwusduYkx4s3F4xCn2MY3DEvpr\/P48ATzKlJ++OHqI7OI3KpokJ1bF8YwJjJpFyWkPT0\/gdDA2C0thwexYlLgVCHe4dECfAKO3ai6a9AkpIGftSCmWnSsB7\/GodcDd1wDIWHn+mS6A9bTO\/2sRCfLQjmwaqnM\/0Kd1DorrQMm9TT6\/w11NzOyGJGqVRWfthWKCJ2r5CEFaogXR64MxPpr2FM6spcuDUY4C3Hc53Q7uc97BndljPBEgsGGu2WIs1hpBKyBrbp4cakeWFrgRHILDge\/JLjoB\/we0ie6rPfHdzAzbH+CVHboc7ECVvIV6N2Rd\/z5fI6cJ5y1i\/CGpe9JS\/DjF+npNlL3gVvBs3y7VpT4ziTRBRlbzG6hzfaYWVE\/I1GNwloup0kRP0\/\/fFg59buQBmTxdHJsfm4laPDQEGg2\/E9TD5wbcmagME1tYB8Z6HaDDAe1MbrBXtLSM8VMS0ZeI23LZfgw6dIscXGQh+EZCVohYQ2K\/dCOtZqYIGlXsZd11O+bX\/KPVaVnsGCQqimWVbYkJXTdkE5fdL4ibwUdj8vI7+8IXUv8oArxAdVEWB2+pth6d9Zti7C4SxMlmajA50jkJHElO8G4w6Wzb86qkyK4WbkuYLazUSRxEvrQrVtZjtDDcEAhbB3i\/CCiXoyK9403MAI7UV+NXn0+Iqmacnoi+GSVKkccDjbrlFQ3qxHSBpnh\/Zt22FSB4TV4eA="}
 01082{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1228,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1587041682792228,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
-01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27969.4,"max":152917,"stddev":40324.3,"var":1626047232.0,"ent":3.6,"data": [50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765,0]},"pktlen": {"min":66,"avg":833.7,"max":1506,"stddev":699.2,"var":488828.9,"ent":4.4,"data": [78,74,66,272,66,1506,1506,66,1389,66,159,66,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494]},"bins": {"c_to_s": [5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0]}}
+01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27969.4,"max":152917,"stddev":40324.3,"var":1626047232.0,"ent":3.6,"data": [50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765]},"pktlen": {"min":66,"avg":833.7,"max":1506,"stddev":699.2,"var":488828.9,"ent":4.4,"data": [78,74,66,272,66,1506,1506,66,1389,66,159,66,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494]},"bins": {"c_to_s": [5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0]}}
 01717{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1249,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682809173,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1249,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041682809173,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG+gHAqAEGp2PXpOyCEVImrEWfAAAAALAC\/\/+rgAAAAgQFtAEDAwUBAQgKMISwIQAAAAAEAgAA"}
@@ -199,7 +199,7 @@
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1299,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1587041682862738,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041682862738,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+g3AqAEGp2PXpOyCEVImrEWgy3y3uIAQECwqYQAAAQEICjCEsFATeRnV"}
 01237{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1300,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682863165,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682863165,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"dati.ntop.org","tls": {"version":"TLSv1.2","ja3":"7120d65624bcd2e02ed4b01388d84cdb","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01295{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1345,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682863165,"flow_dst_last_pkt_time":1587041682917561,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":152,"midstream":0,"thread_ts_usec":1587041682917561,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"dati.ntop.org","tls": {"version":"TLSv1.2","ja3":"7120d65624bcd2e02ed4b01388d84cdb","ja3s":"410b9bedaf65dd26c6fe547154d60db4","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1439,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041683063920,"flow_dst_last_pkt_time":1587041683109441,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2687,"flow_dst_tot_l4_payload_len":6860,"midstream":0,"thread_ts_usec":1587041683109441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":25031.7,"max":201410,"stddev":47065.5,"var":2215158784.0,"ent":3.2,"data": [45653,45756,213,47886,30,47672,17,83,202,104,167,9896,9950,3499,10390,395,51386,37078,221,190,155,7115,7018,1251,1197,79250,201410,7,34,167536,222,0]},"pktlen": {"min":54,"avg":354.2,"max":1506,"stddev":510.3,"var":260451.7,"ent":3.9,"data": [78,66,54,273,1506,1506,66,54,54,1506,1506,54,467,54,212,147,517,105,54,123,54,92,92,54,493,54,60,1494,164,220,60,96]},"bins": {"c_to_s": [11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
+01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1439,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041683063920,"flow_dst_last_pkt_time":1587041683109441,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2687,"flow_dst_tot_l4_payload_len":6860,"midstream":0,"thread_ts_usec":1587041683109441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":25031.7,"max":201410,"stddev":47065.5,"var":2215158784.0,"ent":3.2,"data": [45653,45756,213,47886,30,47672,17,83,202,104,167,9896,9950,3499,10390,395,51386,37078,221,190,155,7115,7018,1251,1197,79250,201410,7,34,167536,222]},"pktlen": {"min":54,"avg":354.2,"max":1506,"stddev":510.3,"var":260451.7,"ent":3.9,"data": [78,66,54,273,1506,1506,66,54,54,1506,1506,54,467,54,212,147,517,105,54,123,54,92,92,54,493,54,60,1494,164,220,60,96]},"bins": {"c_to_s": [11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041683142905,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041683142905,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1587041683142905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABOVgkAAP8R4j3AqAEGwKgBAeCgADUAOmwyTTEBAAABAAAAAAAACmNoYXRzdmNhZ2cEc3ZjcwV0ZWFtcwZvZmZpY2UDY29tAAABAAE="}
 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041683142905,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041683142905,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"chatsvcagg.svcs.teams.office.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -218,7 +218,7 @@
 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041683406443}
 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041683396534,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
 01712{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1503,"source":"teams.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041683333389,"flow_src_last_pkt_time":1587041683430891,"flow_dst_last_pkt_time":1587041683431072,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041683431072,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60548,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}}
-01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1516,"source":"teams.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041683186164,"flow_src_last_pkt_time":1587041683511604,"flow_dst_last_pkt_time":1587041683511700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2582,"flow_dst_tot_l4_payload_len":7792,"midstream":0,"thread_ts_usec":1587041683511700,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.88.59","src_port":60547,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20999.2,"max":115070,"stddev":31123.6,"var":968681216.0,"ent":3.5,"data": [34191,34298,279,36871,33,36580,20,190,171,120,2,98,1011,12039,309,36028,22727,226,163,129,10387,10298,599,557,77127,91684,7,49137,80440,115070,185,0]},"pktlen": {"min":66,"avg":391.2,"max":1506,"stddev":521.7,"var":272149.2,"ent":4.0,"data": [78,74,66,287,1506,1506,78,66,1506,66,1506,316,66,192,159,547,117,66,135,66,104,104,66,428,66,66,1494,261,66,241,66,1153]},"bins": {"c_to_s": [11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0],"s_to_c": [3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1516,"source":"teams.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041683186164,"flow_src_last_pkt_time":1587041683511604,"flow_dst_last_pkt_time":1587041683511700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2582,"flow_dst_tot_l4_payload_len":7792,"midstream":0,"thread_ts_usec":1587041683511700,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.88.59","src_port":60547,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20999.2,"max":115070,"stddev":31123.6,"var":968681216.0,"ent":3.5,"data": [34191,34298,279,36871,33,36580,20,190,171,120,2,98,1011,12039,309,36028,22727,226,163,129,10387,10298,599,557,77127,91684,7,49137,80440,115070,185]},"pktlen": {"min":66,"avg":391.2,"max":1506,"stddev":521.7,"var":272149.2,"ent":4.0,"data": [78,74,66,287,1506,1506,78,66,1506,66,1506,316,66,192,159,547,117,66,135,66,104,104,66,428,66,66,1494,261,66,241,66,1153]},"bins": {"c_to_s": [11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0],"s_to_c": [3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041683611241}
 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041683605577,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1685,"source":"teams.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041684291077,"flow_src_last_pkt_time":1587041684291077,"flow_dst_last_pkt_time":1587041684291077,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041684291077,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":59403,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -232,11 +232,11 @@
 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1698,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_src_last_pkt_time":1587041684317725,"flow_dst_last_pkt_time":1587041684317619,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041684317725,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGWazAqAEGDWsSC+yFAbvNnLiaNd4cNVAQIADoJAAA"}
 01073{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1699,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684317987,"flow_dst_last_pkt_time":1587041684317619,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041684317987,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01897{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1722,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684362150,"flow_dst_last_pkt_time":1587041684362335,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":4396,"midstream":0,"thread_ts_usec":1587041684362335,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}}
-01565{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":146055.7,"max":2009785,"stddev":489503.9,"var":239614050304.0,"ent":1.7,"data": [12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632,0]},"pktlen": {"min":54,"avg":319.2,"max":1506,"stddev":468.1,"var":219152.8,"ent":3.9,"data": [78,66,54,271,60,1506,1506,54,1506,54,1506,195,54,212,60,380,123,54,54,147,92,575,60,92,54,60,60,454,54,356,60,359]},"bins": {"c_to_s": [9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1]}}
+01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":146055.7,"max":2009785,"stddev":489503.9,"var":239614050304.0,"ent":1.7,"data": [12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632]},"pktlen": {"min":54,"avg":319.2,"max":1506,"stddev":468.1,"var":219152.8,"ent":3.9,"data": [78,66,54,271,60,1506,1506,54,1506,54,1506,195,54,212,60,380,123,54,54,147,92,575,60,92,54,60,60,454,54,356,60,359]},"bins": {"c_to_s": [9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1]}}
 01436{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041684611243}
 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041684501226,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"}
-01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":24145.7,"max":539594,"stddev":94604.1,"var":8949939200.0,"ent":1.9,"data": [11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314,0]},"pktlen": {"min":54,"avg":345.5,"max":1506,"stddev":473.5,"var":224192.2,"ent":4.0,"data": [78,66,54,265,60,1506,1506,54,1506,94,54,212,147,592,186,60,380,123,54,54,92,60,92,54,60,703,54,373,54,1494,708,262]},"bins": {"c_to_s": [9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0]}}
+01549{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":24145.7,"max":539594,"stddev":94604.1,"var":8949939200.0,"ent":1.9,"data": [11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314]},"pktlen": {"min":54,"avg":345.5,"max":1506,"stddev":473.5,"var":224192.2,"ent":4.0,"data": [78,66,54,265,60,1506,1506,54,1506,94,54,212,147,592,186,60,380,123,54,54,92,60,92,54,60,703,54,373,54,1494,708,262]},"bins": {"c_to_s": [9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0]}}
 01901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1587041685090830,"pkt":"EBMx8Tl2KDc3AG3ICABFAABJHhYAAP8RGjbAqAEGwKgBAe89ADUANcKVVKoBAAABAAAAAAAABGV1YXoCdHIFdGVhbXMJbWljcm9zb2Z0A2NvbQAAAQAB"}
@@ -300,7 +300,7 @@
 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041685406369}
 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041685403983,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
 01587{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1908,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1587041685106192,"flow_src_last_pkt_time":1587041685420065,"flow_dst_last_pkt_time":1587041685420103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":5962,"midstream":0,"thread_ts_usec":1587041685420103,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"trouter2-asse-a.trouter.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","subjectDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}}}
-01569{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":14797.2,"max":153955,"stddev":35697.7,"var":1274323968.0,"ent":2.8,"data": [12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243,0]},"pktlen": {"min":54,"avg":599.7,"max":1506,"stddev":671.4,"var":450756.0,"ent":4.1,"data": [78,66,54,240,60,1506,1506,54,1506,54,1506,182,54,161,60,105,60,105,54,1136,60,1506,1506,54,1331,54,1506,1506,54,54,1506,1506]},"bins": {"c_to_s": [10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1]}}
+01567{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":14797.2,"max":153955,"stddev":35697.7,"var":1274323968.0,"ent":2.8,"data": [12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243]},"pktlen": {"min":54,"avg":599.7,"max":1506,"stddev":671.4,"var":450756.0,"ent":4.1,"data": [78,66,54,240,60,1506,1506,54,1506,54,1506,182,54,161,60,105,60,105,54,1136,60,1506,1506,54,1331,54,1506,1506,54,54,1506,1506]},"bins": {"c_to_s": [10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1]}}
 01552{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041685611278}
 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041685546646,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"}
@@ -316,7 +316,7 @@
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2045,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":3,"flow_src_last_pkt_time":1587041686288255,"flow_dst_last_pkt_time":1587041686288146,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041686288255,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIeyPAbtgh2e+U\/RRNYAQEAkdGQAAAQEICjCEvUBhH1u7"}
 01180{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2046,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686288562,"flow_dst_last_pkt_time":1587041686288146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041686288562,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2047,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686288562,"flow_dst_last_pkt_time":1587041686339149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041686339149,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
-01842{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2074,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686542441,"flow_dst_last_pkt_time":1587041686541501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":14115,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041686542441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19511.4,"max":52987,"stddev":22191.7,"var":492470496.0,"ent":3.9,"data": [48601,48710,307,51003,89,50699,16,253,253,1686,49778,48144,1391,5,2,50498,49101,4,2,3,37233,37219,5,11525,11515,965,36039,15972,52987,736,111,0]},"pktlen": {"min":66,"avg":654.9,"max":1506,"stddev":667.9,"var":446080.7,"ent":4.2,"data": [78,74,66,272,1506,1506,78,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,999,66,66,511,66,97,66]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}}
+01840{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2074,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686542441,"flow_dst_last_pkt_time":1587041686541501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":14115,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041686542441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19511.4,"max":52987,"stddev":22191.7,"var":492470496.0,"ent":3.9,"data": [48601,48710,307,51003,89,50699,16,253,253,1686,49778,48144,1391,5,2,50498,49101,4,2,3,37233,37219,5,11525,11515,965,36039,15972,52987,736,111]},"pktlen": {"min":66,"avg":654.9,"max":1506,"stddev":667.9,"var":446080.7,"ent":4.2,"data": [78,74,66,272,1506,1506,78,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,999,66,66,511,66,97,66]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2076,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041686611252}
 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2076,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041686589907,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2077,"source":"teams.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041686659283,"flow_src_last_pkt_time":1587041686659283,"flow_dst_last_pkt_time":1587041686659283,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041686659283,"l3_proto":"ip4","src_ip":"192.168.1.112","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -348,7 +348,7 @@
 01712{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2226,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687544052,"flow_dst_last_pkt_time":1587041687544137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":412,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041687544137,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041687611308}
 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041687600094,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"}
-01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2258,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041687725655,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18634.2,"max":125561,"stddev":31723.1,"var":1006353792.0,"ent":3.4,"data": [29516,29616,237,45747,220,45693,117,89,54,132,3,86,615,23250,232,30155,31,6115,4,245,22863,22646,1494,1434,2892,30,32749,246,30074,125513,125561,0]},"pktlen": {"min":66,"avg":359.2,"max":1506,"stddev":499.9,"var":249913.2,"ent":4.0,"data": [78,74,66,280,1506,1506,78,1506,66,66,1506,295,66,159,159,438,117,135,66,66,104,104,66,562,66,1379,149,66,108,66,524,66]},"bins": {"c_to_s": [12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
+01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2258,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041687725655,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18634.2,"max":125561,"stddev":31723.1,"var":1006353792.0,"ent":3.4,"data": [29516,29616,237,45747,220,45693,117,89,54,132,3,86,615,23250,232,30155,31,6115,4,245,22863,22646,1494,1434,2892,30,32749,246,30074,125513,125561]},"pktlen": {"min":66,"avg":359.2,"max":1506,"stddev":499.9,"var":249913.2,"ent":4.0,"data": [78,74,66,280,1506,1506,78,1506,66,66,1506,295,66,159,159,438,117,135,66,66,104,104,66,562,66,1379,149,66,108,66,524,66]},"bins": {"c_to_s": [12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687731296,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1587041687731296,"pkt":"EBMx8Tl2KDc3AG3ICABFAABM83AAAP8RRNjAqAEGwKgBAfUPADUAOAAFY+UBAAABAAAAAAAABmV1bm8tMQNhcGkPbWljcm9zb2Z0c3RyZWFtA2NvbQAAAQAB"}
 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687731296,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"euno-1.api.microsoftstream.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -356,7 +356,7 @@
 01024{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2260,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687745080,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":183,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1587041687745080,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"euno-1.api.microsoftstream.com","dns": {"num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.169.186.119"}}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687745932,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687745932,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041687745932,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGienAqAEGNKm6d+yTAbth0wzHAAAAALAC\/\/81+QAAAgQFtAEDAwUBAQgKMITCxwAAAAAEAgAA"}
-01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32165.6,"max":161774,"stddev":44327.4,"var":1964919296.0,"ent":3.6,"data": [48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749,0]},"pktlen": {"min":66,"avg":750.7,"max":1506,"stddev":694.0,"var":481656.1,"ent":4.3,"data": [78,74,66,272,272,78,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494,1494,66,1476,66,66,66]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1]}}
+01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32165.6,"max":161774,"stddev":44327.4,"var":1964919296.0,"ent":3.6,"data": [48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749]},"pktlen": {"min":66,"avg":750.7,"max":1506,"stddev":694.0,"var":481656.1,"ent":4.3,"data": [78,74,66,272,272,78,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494,1494,66,1476,66,66,66]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1]}}
 01717{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}}
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041687789261,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GLFAAGwGRTw0qbp3wKgBBgG77JMQ1B2QYdMMyKASIACACgAAAgQFoAEDAwgEAggKASJ3bTCEwsc="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1587041687789367,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041687789367,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGifXAqAEGNKm6d+yTAbth0wzIENQdkYAQEAm+kQAAAQEICjCEwvABIndt"}
@@ -393,10 +393,10 @@
 01085{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691169247,"flow_dst_last_pkt_time":1587041691190981,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041691190981,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"emea.ng.msg.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2416,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041691410839}
 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":2416,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041691399733,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
-01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2417,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691305451,"flow_dst_last_pkt_time":1587041691582252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":994,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2028,"flow_dst_tot_l4_payload_len":8121,"midstream":0,"thread_ts_usec":1587041691582252,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18972.7,"max":276869,"stddev":49493.9,"var":2449644032.0,"ent":2.9,"data": [19199,19302,171,22008,34,21827,18,184,203,246,14,193,1070,12295,280,19893,29,6313,3,603,11971,11399,1472,1415,54998,62106,42,25528,33,18437,276869,0]},"pktlen": {"min":66,"avg":384.2,"max":1506,"stddev":512.1,"var":262257.7,"ent":4.0,"data": [78,74,66,288,1506,1506,78,66,1506,66,1506,485,66,192,159,539,117,135,66,66,104,104,66,525,66,66,1060,148,66,108,66,1349]},"bins": {"c_to_s": [11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2417,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691305451,"flow_dst_last_pkt_time":1587041691582252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":994,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2028,"flow_dst_tot_l4_payload_len":8121,"midstream":0,"thread_ts_usec":1587041691582252,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18972.7,"max":276869,"stddev":49493.9,"var":2449644032.0,"ent":2.9,"data": [19199,19302,171,22008,34,21827,18,184,203,246,14,193,1070,12295,280,19893,29,6313,3,603,11971,11399,1472,1415,54998,62106,42,25528,33,18437,276869]},"pktlen": {"min":66,"avg":384.2,"max":1506,"stddev":512.1,"var":262257.7,"ent":4.0,"data": [78,74,66,288,1506,1506,78,66,1506,66,1506,485,66,192,159,539,117,135,66,66,104,104,66,525,66,66,1060,148,66,108,66,1349]},"bins": {"c_to_s": [11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2419,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041691611256}
 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2419,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041691582349,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"}
-01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2430,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1587041682376166,"flow_src_last_pkt_time":1587041682938651,"flow_dst_last_pkt_time":1587041692001418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1060,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":7396,"midstream":0,"thread_ts_usec":1587041692001418,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":328636.7,"max":8978171,"stddev":1582353.1,"var":2503841415168.0,"ent":0.8,"data": [47150,47228,506,44398,29,43913,16,46,186,124,2,213,4,4433,9743,291,46519,32116,477,409,98,18910,1378,20235,62883,403234,424977,8978171,32,9,7,0]},"pktlen": {"min":54,"avg":353.2,"max":1506,"stddev":486.1,"var":236250.5,"ent":4.0,"data": [78,66,54,290,1506,1506,66,54,54,1506,1506,323,54,54,212,147,582,105,54,123,54,92,60,423,54,60,1114,60,425,429,100,92]},"bins": {"c_to_s": [10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2430,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1587041682376166,"flow_src_last_pkt_time":1587041682938651,"flow_dst_last_pkt_time":1587041692001418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1060,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":7396,"midstream":0,"thread_ts_usec":1587041692001418,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":328636.7,"max":8978171,"stddev":1582353.1,"var":2503841415168.0,"ent":0.8,"data": [47150,47228,506,44398,29,43913,16,46,186,124,2,213,4,4433,9743,291,46519,32116,477,409,98,18910,1378,20235,62883,403234,424977,8978171,32,9,7]},"pktlen": {"min":54,"avg":353.2,"max":1506,"stddev":486.1,"var":236250.5,"ent":4.0,"data": [78,66,54,290,1506,1506,66,54,54,1506,1506,323,54,54,212,147,582,105,54,123,54,92,60,423,54,60,1114,60,425,429,100,92]},"bins": {"c_to_s": [10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2438,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041692528594,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528594,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":120,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1587041692528594,"l3_proto":"ip4","src_ip":"151.11.50.139","dst_ip":"192.168.1.6","src_port":2222,"dst_port":54750,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00693{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2438,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528594,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1587041692528594,"pkt":"KDc3AG3IEBMx8Tl2CABFAACscMtAADIGTDyXCzKLwKgBBgiu1d6yibcLw8sjj4AYAfWSMAAAAQEICnMgXuAwhCbwdBDZH1X2LNSHenV0XPT5UOuNQPq3DAtDODIIsZ4L3xE8W9ceOtMh\/taRn1i3oYCG\/lk5DiXu3JH7RFT8gb0ANFHp9LfVVHPD+A0sB0\/WJaUdO\/QQPvH9sYa9nCylNS5SUfWnuhHHtKPL+2Ql1DSrQI\/KjFfe6Sr3"}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2439,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528684,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041692528684,"pkt":"EBMx8Tl2KDc3AG3ICABFSAA0AABAAEAGrzfAqAEGlwsyi9XeCK7DyyOPsom3g4AQD\/zTvAAAAQEICjCE1UVzIF7g"}
@@ -515,7 +515,7 @@
 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2683,"source":"teams.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041695422685,"flow_src_last_pkt_time":1587041695422685,"flow_dst_last_pkt_time":1587041695422685,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":124,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":124,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041695422685,"l3_proto":"ip4","src_ip":"52.114.252.8","dst_ip":"192.168.1.6","src_port":3479,"dst_port":50016,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}}
 00634{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2685,"source":"teams.pcap","alias":"nDPId-test","flow_id":81,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695422685,"flow_dst_last_pkt_time":1587041695432665,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1587041695432665,"pkt":"EBMx8Tl2KDc3AG3ICABFAACA0aoAAEARtpnAqAEGNHL8CMNgDZcAbO2O\/xAAYN6qKWcI9wj8AQEARCESpEKBJ1p+KLNk2I89FPmAcAAEAAAABwAgAAgAASyFFWBYSoA3AAQAAAACgDYABAAAAAEACAAUmYtT\/sgffZE\/GPjMTGRSk5h1N+2AKAAEPqesNg=="}
 00632{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2688,"source":"teams.pcap","alias":"nDPId-test","flow_id":80,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695421892,"flow_dst_last_pkt_time":1587041695433333,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1587041695433333,"pkt":"EBMx8Tl2KDc3AG3ICABFAACAFs8AAEARcWjAqAEGNHL8FcN0DZgAbMYz\/xAAYGUfNM4ueRX8AQEARCESpEK59F1PLtIJs2rQCYqAcAAEAAAABwAgAAgAASyKFWBYV4A3AAQAAAACgDYABAAAAAEACAAUb+d2GMvNHhGxBtT1sjJNLSVYAvSAKAAEqoFJXQ=="}
-01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2690,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041693824623,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041695435566,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":71850.4,"max":1566873,"stddev":274680.6,"var":75449425920.0,"ent":1.9,"data": [44968,45079,183,47440,47249,164,13,124,2,107,17,104,3,107,2,120,2,1,8026,8,35,52434,1246,45626,48613,92238,43679,69083,272,113543,1566873,0]},"pktlen": {"min":54,"avg":270.9,"max":1506,"stddev":427.0,"var":182315.3,"ent":3.8,"data": [78,66,54,241,1506,66,1506,602,66,66,1506,602,66,54,602,180,54,54,54,161,60,99,60,105,54,155,238,54,85,54,60,60]},"bins": {"c_to_s": [15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
+01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2690,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041693824623,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041695435566,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":71850.4,"max":1566873,"stddev":274680.6,"var":75449425920.0,"ent":1.9,"data": [44968,45079,183,47440,47249,164,13,124,2,107,17,104,3,107,2,120,2,1,8026,8,35,52434,1246,45626,48613,92238,43679,69083,272,113543,1566873]},"pktlen": {"min":54,"avg":270.9,"max":1506,"stddev":427.0,"var":182315.3,"ent":3.8,"data": [78,66,54,241,1506,66,1506,602,66,66,1506,602,66,54,602,180,54,54,54,161,60,99,60,105,54,155,238,54,85,54,60,60]},"bins": {"c_to_s": [15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 00650{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2696,"source":"teams.pcap","alias":"nDPId-test","flow_id":76,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695586059,"flow_dst_last_pkt_time":1587041695278787,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":1587041695586059,"pkt":"EBMx8Tl2KDc3AG3ICABFAACMZh4AAEARkejAqAEGwKgABMNgw1UAeNtRAAEAXCESpELGQpqANK6irJWNCoEABgAJbzUvSTpGWTMyAAAAgCoACAAAf4pShlgAgHAABAAAAAeANgAEAAAAAQAkAARu\/\/7\/gDcABAAAAAIACAAUNaR7w6XgHLmtRZxpBWKVkGuwhq2AKAAE+3W4lQ=="}
 00652{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2697,"source":"teams.pcap","alias":"nDPId-test","flow_id":77,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695586146,"flow_dst_last_pkt_time":1587041695278905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":1587041695586146,"pkt":"EBMx8Tl2KDc3AG3ICABFAACMyucAAEARLR\/AqAEGwKgABMN0w2QAeBWjAAEAXCESpEJMnOcpR8XuRjfgdwcABgAJSkZ3ajorbUl2AAAAgCoACAAAf4pShlgAgHAABAAAAAeANgAEAAAAAQAkAARu\/\/7\/gDcABAAAAAIACAAUZBvpMZrPL2uguq2xDA1A6CBjF+2AKAAEncV\/3g=="}
 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2699,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041695611288}
@@ -538,7 +538,7 @@
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_src_last_pkt_time":1587041697660621,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1587041697660621,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA40fgAADUBJWpdR27NwKgBBgMDcCsAAAAARQAASh2AAAAyEd1gwKgBBl1Hbs3DdD\/NADaJWQ=="}
 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041697660621,"flow_src_last_pkt_time":1587041697660621,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041697660621,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2774,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":2,"flow_src_last_pkt_time":1587041697673040,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1587041697673040,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA4akMAADUBjR9dR27NwKgBBgMDcBsAAAAARQAAWp4wAAAyEVygwKgBBl1Hbs3DdD\/NAEaJWQ=="}
-01887{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2805,"source":"teams.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":7,"flow_first_seen":1587041695305290,"flow_src_last_pkt_time":1587041697913583,"flow_dst_last_pkt_time":1587041697668816,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1214,"flow_dst_max_l4_payload_len":1214,"flow_src_tot_l4_payload_len":4324,"flow_dst_tot_l4_payload_len":2890,"midstream":0,"thread_ts_usec":1587041697913583,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","src_port":16332,"dst_port":50016,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":160381.3,"max":1168245,"stddev":365653.3,"var":133702352896.0,"ent":2.7,"data": [24795,221,101349,1168245,1167037,967065,50759,1119237,13,25,50990,80302,1990,2655,3736,4,1,2,10681,24170,9306,21453,4525,19907,25341,9245,24382,24626,9496,26004,24257,0]},"pktlen": {"min":80,"avg":267.4,"max":1256,"stddev":374.4,"var":140199.2,"ent":4.1,"data": [154,130,154,130,158,130,152,150,80,1256,1256,150,115,80,1256,1256,84,208,140,108,110,117,122,124,116,112,126,120,117,115,116,116]},"bins": {"c_to_s": [0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2805,"source":"teams.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":7,"flow_first_seen":1587041695305290,"flow_src_last_pkt_time":1587041697913583,"flow_dst_last_pkt_time":1587041697668816,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1214,"flow_dst_max_l4_payload_len":1214,"flow_src_tot_l4_payload_len":4324,"flow_dst_tot_l4_payload_len":2890,"midstream":0,"thread_ts_usec":1587041697913583,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","src_port":16332,"dst_port":50016,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":160381.3,"max":1168245,"stddev":365653.3,"var":133702352896.0,"ent":2.7,"data": [24795,221,101349,1168245,1167037,967065,50759,1119237,13,25,50990,80302,1990,2655,3736,4,1,2,10681,24170,9306,21453,4525,19907,25341,9245,24382,24626,9496,26004,24257]},"pktlen": {"min":80,"avg":267.4,"max":1256,"stddev":374.4,"var":140199.2,"ent":4.1,"data": [154,130,154,130,158,130,152,150,80,1256,1256,150,115,80,1256,1256,84,208,140,108,110,117,122,124,116,112,126,120,117,115,116,116]},"bins": {"c_to_s": [0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00767{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1587041693828302,"flow_src_last_pkt_time":1587041694047808,"flow_dst_last_pkt_time":1587041694047695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":235,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":567,"flow_dst_tot_l4_payload_len":6363,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 01055{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041695435668,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
 01055{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":67,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":13,"flow_first_seen":1587041693582610,"flow_src_last_pkt_time":1587041694243274,"flow_dst_last_pkt_time":1587041694243144,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}}
@@ -634,8 +634,8 @@
 ~~ total active/idle flows...: 83/83
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7178464 bytes
-~~ total memory freed........: 7178464 bytes
+~~ total memory allocated....: 7178132 bytes
+~~ total memory freed........: 7178132 bytes
 ~~ total allocations/frees...: 125478/125478
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 187 chars
diff --git a/test/results/teamspeak3.pcap.out b/test/results/teamspeak3.pcap.out
index 2e92bb584..b9214a5f4 100644
--- a/test/results/teamspeak3.pcap.out
+++ b/test/results/teamspeak3.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6036022 bytes
-~~ total memory freed........: 6036022 bytes
+~~ total memory allocated....: 6036018 bytes
+~~ total memory freed........: 6036018 bytes
 ~~ total allocations/frees...: 121500/121500
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
diff --git a/test/results/teamviewer.pcap.out b/test/results/teamviewer.pcap.out
index e146ba138..42d7a5105 100644
--- a/test/results/teamviewer.pcap.out
+++ b/test/results/teamviewer.pcap.out
@@ -4,13 +4,13 @@
 00499{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":330297046,"flow_dst_last_pkt_time":330433319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":330433319,"pkt":"CAAns+YuUlQAEjUCCABFAAAsCdUAAEAGv0Si+gKqCgACDxcyi5QCaioBKWjIKmAS\/\/8lnwAAAgQFtA=="}
 00497{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":330434281,"flow_dst_last_pkt_time":330433319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":330434281,"pkt":"UlQAEjUCCAAns+YuCABFAAAoOl1AAEAGTsAKAAIPovoCqouUFzIpaMgqAmoqAlAQ+vBCawAAAAAAAAAA"}
 00845{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":330297046,"flow_src_last_pkt_time":330434854,"flow_dst_last_pkt_time":330433319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":330434854,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
-01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":330297046,"flow_src_last_pkt_time":331331838,"flow_dst_last_pkt_time":331332084,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6059,"flow_dst_tot_l4_payload_len":4420,"midstream":0,"thread_ts_usec":331332084,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":66768.7,"max":274397,"stddev":88285.8,"var":7794386432.0,"ent":3.8,"data": [136273,137235,573,1795,12093,11937,35737,56,35774,25,88318,88631,11617,11587,151937,89,151972,35682,35919,255841,274397,18558,256484,257570,1057,306,258,28908,45,29127,29,0]},"pktlen": {"min":54,"avg":383.0,"max":1514,"stddev":516.4,"var":266637.3,"ent":3.9,"data": [74,58,60,91,54,120,54,1514,432,54,54,102,60,201,60,1514,1290,60,1132,54,1143,1155,54,494,110,54,102,54,1514,429,54,54]},"bins": {"c_to_s": [5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":330297046,"flow_src_last_pkt_time":331331838,"flow_dst_last_pkt_time":331332084,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6059,"flow_dst_tot_l4_payload_len":4420,"midstream":0,"thread_ts_usec":331332084,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":66768.7,"max":274397,"stddev":88285.8,"var":7794386432.0,"ent":3.8,"data": [136273,137235,573,1795,12093,11937,35737,56,35774,25,88318,88631,11617,11587,151937,89,151972,35682,35919,255841,274397,18558,256484,257570,1057,306,258,28908,45,29127,29]},"pktlen": {"min":54,"avg":383.0,"max":1514,"stddev":516.4,"var":266637.3,"ent":3.9,"data": [74,58,60,91,54,120,54,1514,432,54,54,102,60,201,60,1514,1290,60,1132,54,1143,1155,54,494,110,54,102,54,1514,429,54,54]},"bins": {"c_to_s": [5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00730{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":238,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520136114,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":520136114,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520136114,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":520136114,"pkt":"UlQAEjUCCAAns+YuCABFAAB8z5cAAEARYKoKAAIPXS\/g8YZxjMUAaPehAAAAAAAAAAAAAAMXJEdQAAUAAAAAAAAAAAAAADkzLjQ3LjIyNC4yNDEAAADFjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520148441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":520148441,"pkt":"CAAns+YuUlQAEjUCCABFAAB8FPQAAEARG05dL+DxCgACD4zFhnEAaPihAAAAAAAAAAAAAAMXJEdQAAUAAAAAAAAAAAAAADkzLjQ3LjIyNC4yNDEAAADEjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
 01097{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":240,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520160692,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":506,"pkt_l4_len":472,"thread_ts_usec":520160692,"pkt":"CAAns+YuUlQAEjUCCABFAAHsFPcAAEARGdtdL+DxCgACD4zFhnEB2EYbAAAAAAAAAAAAAAMXJEfAAQQAAAA7Jmk0CQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="}
 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":241,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":3,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520160749,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":1584,"midstream":0,"thread_ts_usec":520160749,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
-01924{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":521274313,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":13050,"midstream":0,"thread_ts_usec":521274313,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":36716.1,"max":442863,"stddev":96766.6,"var":9363771392.0,"ent":2.6,"data": [12327,12251,57,40726,3898,3159,6600,81845,9028,72,7415,9247,442863,41858,345075,64,9,8,11,9,7,2034,57,13,9567,57,8,51028,58831,63,12,0]},"pktlen": {"min":58,"avg":452.8,"max":1066,"stddev":450.4,"var":202865.5,"ent":4.3,"data": [138,138,506,1066,62,98,90,90,90,191,118,66,66,90,90,1066,1066,1066,1066,1066,1066,1066,1066,1066,1066,182,118,118,58,239,131,85]},"bins": {"c_to_s": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01922{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":521274313,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":13050,"midstream":0,"thread_ts_usec":521274313,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":36716.1,"max":442863,"stddev":96766.6,"var":9363771392.0,"ent":2.6,"data": [12327,12251,57,40726,3898,3159,6600,81845,9028,72,7415,9247,442863,41858,345075,64,9,8,11,9,7,2034,57,13,9567,57,8,51028,58831,63,12]},"pktlen": {"min":58,"avg":452.8,"max":1066,"stddev":450.4,"var":202865.5,"ent":4.3,"data": [138,138,506,1066,62,98,90,90,90,191,118,66,66,90,90,1066,1066,1066,1066,1066,1066,1066,1066,1066,1066,182,118,118,58,239,131,85]},"bins": {"c_to_s": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 01144{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1259,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1008,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":558067677,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":520398,"midstream":0,"thread_ts_usec":579147460,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1283,"source":"teamviewer.pcap","alias":"nDPId-test","packets-captured":1283,"packets-processed":1282,"total-skipped-flows":0,"total-l4-payload-len":643545,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":1,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":633881700}
 01144{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1289,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1008,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":558067677,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":520398,"midstream":0,"thread_ts_usec":639022187,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
@@ -25,10 +25,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6074932 bytes
-~~ total memory freed........: 6074932 bytes
+~~ total memory allocated....: 6074924 bytes
+~~ total memory freed........: 6074924 bytes
 ~~ total allocations/frees...: 122796/122796
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
-~~ json string max len.......: 1929 chars
-~~ json string avg len.......: 1211 chars
+~~ json string max len.......: 1927 chars
+~~ json string avg len.......: 1210 chars
diff --git a/test/results/telegram.pcap.out b/test/results/telegram.pcap.out
index c68afacaf..c54fb6369 100644
--- a/test/results/telegram.pcap.out
+++ b/test/results/telegram.pcap.out
@@ -50,8 +50,8 @@
 00759{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604297208,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":238,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":238,"pkt_l4_len":204,"thread_ts_usec":1588779604297208,"pkt":"AQBeAAD7wJrQLWJ0CABFAADgDXQAAP8RCsDAqAE14AAA+xTpFOkAzL4AAAAAAAADAAMAAAABCF9ob21la2l0BF90Y3AFbG9jYWwAAAwAAQ9fY29tcGFuaW9uLWxpbmvAFQAMAAEMX3NsZWVwLXByb3h5BF91ZHDAGgAMAAHAJQAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AlwCUADAABAAARlAAOC0x1Y2EncyBpUGFkwCXAOwAMAAEAABGUABIPNTAtMzUtMTAtNzAuMSAxwDsAACkFoAAAEZQAEgAEAA4AMeKa0C1idMCa0C1idA=="}
 00788{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1588779604297420,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":258,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":258,"pkt_l4_len":204,"thread_ts_usec":1588779604297420,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAMwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QDMXFcAAAAAAAMAAwAAAAEIX2hvbWVraXQEX3RjcAVsb2NhbAAADAABD19jb21wYW5pb24tbGlua8AVAAwAAQxfc2xlZXAtcHJveHkEX3VkcMAaAAwAAcAlAAwAAQAAEZQAEA1MdWNh4oCZcyBpTWFjwCXAJQAMAAEAABGUAA4LTHVjYSdzIGlQYWTAJcA7AAwAAQAAEZQAEg81MC0zNS0xMC03MC4xIDHAOwAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"}
 00869{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"telegram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604398986,"flow_dst_last_pkt_time":1588779597291316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":320,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":320,"pkt_l4_len":286,"thread_ts_usec":1588779604398986,"pkt":"jP5XIzfkKDc3AG3ICABFAAEy\/rUAAP8ROBzAqAFNwKgBSxTpFOkBHhkOAACEAAAAAAEAAAAED19jb21wYW5pb24tbGluawRfdGNwBWxvY2FsAAAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AMwDIAIYABAAAAeAATAAAAAMAFCkx1Y2FzLWlNYWPAIcAyABCAAQAAEZQAWBZycEJBPTM5OjJBOjg4OkFDOjQxOkFCCnJwVnI9MTUyLjERcnBIST1mOWM0NmM2ZGQwN2QRcnBITj0zYzVkYzVjZTk1NzgRcnBIQT04Y2E4Y2I3MzFjMWMNTHVjYeKAmXMgaU1hYwxfZGV2aWNlLWluZm\/AHAAQAAEAABGUABoObW9kZWw9aU1hYzExLDMKb3N4dmVycz0xN8BUAAGAAQAAAHgABMCoAU0="}
-01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":424,"avg":260106.0,"max":1089013,"stddev":238284.9,"var":56779681792.0,"ent":4.4,"data": [549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193,0]},"pktlen": {"min":142,"avg":198.7,"max":308,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":368,"avg":260092.7,"max":1088510,"stddev":238249.1,"var":56762626048.0,"ent":4.4,"data": [549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380,0]},"pktlen": {"min":162,"avg":218.7,"max":328,"stddev":56.4,"var":3176.8,"ent":5.0,"data": [162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":424,"avg":260106.0,"max":1089013,"stddev":238284.9,"var":56779681792.0,"ent":4.4,"data": [549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193]},"pktlen": {"min":142,"avg":198.7,"max":308,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":368,"avg":260092.7,"max":1088510,"stddev":238249.1,"var":56762626048.0,"ent":4.4,"data": [549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380]},"pktlen": {"min":162,"avg":218.7,"max":328,"stddev":56.4,"var":3176.8,"ent":5.0,"data": [162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1588779606465822,"flow_dst_last_pkt_time":1588779596451825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"thread_ts_usec":1588779606465822,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzGJdAAEARYHrAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGABAmSTUAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"}
 00918{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":102,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1588779596464729,"flow_src_last_pkt_time":1588779607307651,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":196,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779607307651,"l3_proto":"ip4","src_ip":"192.168.1.53","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_sleep-proxy._udp.local","mdns": {}}}
 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":103,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1588779607308336,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":162,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":162,"pkt_l4_len":108,"thread_ts_usec":1588779607308336,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAGwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QBsCTwAAAAAAAEAAQAAAAEMX3NsZWVwLXByb3h5BF91ZHAFbG9jYWwAAAwAAcAMAAwAAQAAEZEAEg81MC0zNS0xMC03MC4xIDHADAAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"}
@@ -118,14 +118,14 @@
 00997{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779617174225,"flow_src_last_pkt_time":1588779617174225,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779617174225,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":23174,"dst_port":60723,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617350710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617350710,"pkt":"KDc3AG3I8KNaMBgSCABFAABsUAUAAEARpqrAqAE0wKgBTXr4WoYAWLDM6Td5ePjQrnTyke2EPHu3iQJhxLIf06esu8RwrHmFIT7cHf5ycIamk2yhxwjAfE09exZIgAEDzMDiso7KFMuIe8fjwzyyS3MKiG+Cd3eNuy0="}
 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617856441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617856441,"pkt":"KDc3AG3I8KNaMBgSCABFAABsRZ4AAEARsRHAqAE0wKgBTXr4WoYAWPxjToIQs5m5XoZB1qDehmfhJomQUeopOlZuJIIaL6qE8BgtmXQ6sqxHJAacGMTU5S5RgUjUPrOpUP\/aPObI3ORz5PRGJjnynufzdcsxdb\/ZTPY="}
-01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":658,"avg":118086.8,"max":500928,"stddev":112055.1,"var":12556351488.0,"ent":4.4,"data": [33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393,0]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":57.3,"var":3288.0,"ent":4.9,"data": [82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234]},"bins": {"c_to_s": [0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":658,"avg":118086.8,"max":500928,"stddev":112055.1,"var":12556351488.0,"ent":4.4,"data": [33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":57.3,"var":3288.0,"ent":4.9,"data": [82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234]},"bins": {"c_to_s": [0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1588779618677198,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779618677198,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMg0kAAEAREJTAqAFNVwvNw1qG7TMAOE0OU2RiXNjy8sJRKs8KhnTyEy6Nhnt95vQlharNkBkXr2lvtMgl2dlHhYY4WvPjXQkp"}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1588779619914905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABHqTUAAEARTdLAqAFNwKgBAbgXADUAM25TALgBAAABAAAAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAQ=="}
 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1588779619916408,"pkt":"KDc3AG3IAICPmq69CABFAABXwqhAAEAR9E7AqAEBwKgBTQA1uBcAQ5UvALiBgAABAAEAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAcAMAAEAAQAAAAAABMCoAZ0="}
 01160{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":59,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":59,"midstream":0,"thread_ts_usec":1588779619916408,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"192.168.1.157"}}}
-01622{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42308,"avg":260899.1,"max":1998754,"stddev":472680.0,"var":223426379776.0,"ent":3.6,"data": [176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696,0]},"pktlen": {"min":90,"avg":205.5,"max":282,"stddev":54.5,"var":2971.8,"ent":4.9,"data": [122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234]},"bins": {"c_to_s": [0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}}
+01620{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42308,"avg":260899.1,"max":1998754,"stddev":472680.0,"var":223426379776.0,"ent":3.6,"data": [176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696]},"pktlen": {"min":90,"avg":205.5,"max":282,"stddev":54.5,"var":2971.8,"ent":4.9,"data": [122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234]},"bins": {"c_to_s": [0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}}
 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779625981468,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":355,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":355,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":355,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779625981468,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00990{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":397,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":397,"pkt_l4_len":363,"thread_ts_usec":1588779625981468,"pkt":"\/\/\/\/\/\/\/\/AICPmq69CABFAAF\/jrEAAEAR6r0AAAAA\/\/\/\/\/wBEAEMBa16\/AQEGAN7JmyKFuQAAAAAAAAAAAAAAAAAAAAAAAACAj5quvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBPRP\/j5quvQABAAEfyzfOuCfrPQjbUAB0AQE5AgXcPC1kaGNwY2QtNi4xMC4xOkxpbnV4LTQuOS41Ny12Nys6YXJtdjdsOkJDTTI4MzUMDHBpMy5udG9wLm9yZ5EBATcPAXkhAwYMDxocKjM2Ojt3\/w=="}
@@ -205,10 +205,10 @@
 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":753,"source":"telegram.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048873,"flow_dst_last_pkt_time":1588779637682180,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048873,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE8IoAAEARYLjAqAFNW2wMBW32AhkAMMg9L+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/8fmAjwvVRcdw=="}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":754,"source":"telegram.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048996,"flow_dst_last_pkt_time":1588779637712776,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048996,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE3R0AAEARcCfAqAFNW2wQA232AhkAMFmIL+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/13zLCZd4eiw=="}
 00735{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":825,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_src_last_pkt_time":1588779638831421,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779638831421,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKuMQAAAERTm\/AqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"}
-01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8183,"avg":98621.3,"max":504672,"stddev":137715.2,"var":18965475328.0,"ent":4.0,"data": [38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605,0]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":55.4,"var":3064.0,"ent":4.9,"data": [82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106]},"bins": {"c_to_s": [0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01741{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8183,"avg":98621.3,"max":504672,"stddev":137715.2,"var":18965475328.0,"ent":4.0,"data": [38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":55.4,"var":3064.0,"ent":4.9,"data": [82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106]},"bins": {"c_to_s": [0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779639103009,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779639103009,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":28150,"dst_port":59772,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779639103009,"pkt":"EBMx8Tl2KDc3AG3ICABFAABsKQMAAEARarrAqAFNVwvNw2326XwAWFNj2ajstQcU9VmrWsN2RmlsiodFzsmW0mXr5Gv8o0f2aR9YWQKIE34PAz\/0T4VwEA0DXBRrws2ycCoPovMV6p5YsfJULcJS2cwqBKkU3Xys+SQ="}
-01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7087,"avg":113400.4,"max":504936,"stddev":151181.6,"var":22855886848.0,"ent":4.1,"data": [34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617,0]},"pktlen": {"min":74,"avg":157.0,"max":218,"stddev":54.2,"var":2943.0,"ent":4.9,"data": [82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218]},"bins": {"c_to_s": [0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7087,"avg":113400.4,"max":504936,"stddev":151181.6,"var":22855886848.0,"ent":4.1,"data": [34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617]},"pktlen": {"min":74,"avg":157.0,"max":218,"stddev":54.2,"var":2943.0,"ent":4.9,"data": [82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218]},"bins": {"c_to_s": [0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":899,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1588779639832508,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779639832508,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKAckAAAERBWvAqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"}
 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":915,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1588779640101988,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779640101988,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMml0AAEAR+X\/AqAFNVwvNw2326XwAOMsSsmK\/vWlJHJOqyuLBG8kWaad6RX1I27GljGkLPfHdr93dNQ8yPA7ggZLrS4Zn185b"}
 00913{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1129,"source":"telegram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1588779645375046,"flow_dst_last_pkt_time":1588779596465053,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":353,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":353,"pkt_l4_len":319,"thread_ts_usec":1588779645375046,"pkt":"AQBeAAD7eCjKBfrMCABFAAFTiPpAAAERTLfAqAFF4AAA+xTpFOkBP9DmAACEAAAAAAEAAAADEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAAADAABAAAAeAAvEXNvbm9zNzgyOENBMDVGQUNDEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MQX3Nwb3RpZnktY29ubmVjdARfdGNwBWxvY2FsAAAQgAEAABGUAB0LVkVSU0lPTj0xLjAQQ1BhdGg9L3Nwb3RpZnl6YxFzb25vczc4MjhDQTA1RkFDQxBfc3BvdGlmeS1jb25uZWN0BF90Y3AFbG9jYWwAACGAAQAAAHgAHwAAAAAFeBFzb25vczc4MjhDQTA1RkFDQwVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MFbG9jYWwAAAGAAQAAAHgABMCoAUU="}
@@ -301,8 +301,8 @@
 ~~ total active/idle flows...: 48/48
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6157214 bytes
-~~ total memory freed........: 6157214 bytes
+~~ total memory allocated....: 6157022 bytes
+~~ total memory freed........: 6157022 bytes
 ~~ total allocations/frees...: 123509/123509
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/telnet.pcap.out b/test/results/telnet.pcap.out
index 65c5e4f81..5e5071cd1 100644
--- a/test/results/telnet.pcap.out
+++ b/test/results/telnet.pcap.out
@@ -7,7 +7,7 @@
 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":2,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158537777,"flow_dst_last_pkt_time":943755158537538,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":943755158537777,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}}
 01027{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158616442,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755159705066,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}}
 01031{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":31,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160949196,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160949196,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}}
-01548{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":125200.9,"max":1232764,"stddev":336743.6,"var":113396252672.0,"ent":2.2,"data": [2525,2572,1588,147810,146242,172,1611,1711,3291,1327,593,1791,1069,2370,3571,617,1174,22251,20360,1248,13791,15049,1196,784,12789,12241,20023,1107336,1099990,1232764,1372,0]},"pktlen": {"min":66,"avg":77.2,"max":151,"stddev":18.8,"var":354.0,"ent":5.0,"data": [74,74,66,93,69,66,69,66,91,130,66,84,75,66,90,66,151,66,69,69,66,78,72,66,81,66,98,66,73,66,72,66]},"bins": {"c_to_s": [15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0]}}
+01546{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":125200.9,"max":1232764,"stddev":336743.6,"var":113396252672.0,"ent":2.2,"data": [2525,2572,1588,147810,146242,172,1611,1711,3291,1327,593,1791,1069,2370,3571,617,1174,22251,20360,1248,13791,15049,1196,784,12789,12241,20023,1107336,1099990,1232764,1372]},"pktlen": {"min":66,"avg":77.2,"max":151,"stddev":18.8,"var":354.0,"ent":5.0,"data": [74,74,66,93,69,66,69,66,91,130,66,84,75,66,90,66,151,66,69,69,66,78,72,66,81,66,98,66,73,66,72,66]},"bins": {"c_to_s": [15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0]}}
 01031{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}}
 01019{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":92,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":44,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755197957149,"flow_dst_last_pkt_time":943755197958477,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":488,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":943755197958477,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess"}}
 00557{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":92,"source":"telnet.pcap","alias":"nDPId-test","packets-captured":92,"packets-processed":92,"total-skipped-flows":0,"total-l4-payload-len":1660,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":943755197958477}
@@ -19,10 +19,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040361 bytes
-~~ total memory freed........: 6040361 bytes
+~~ total memory allocated....: 6040357 bytes
+~~ total memory freed........: 6040357 bytes
 ~~ total allocations/frees...: 121580/121580
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1553 chars
-~~ json string avg len.......: 1004 chars
+~~ json string max len.......: 1551 chars
+~~ json string avg len.......: 1003 chars
diff --git a/test/results/teredo.pcap.out b/test/results/teredo.pcap.out
index 21e4f393e..fd8903d27 100644
--- a/test/results/teredo.pcap.out
+++ b/test/results/teredo.pcap.out
@@ -36,8 +36,8 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042853 bytes
-~~ total memory freed........: 6042853 bytes
+~~ total memory allocated....: 6042833 bytes
+~~ total memory freed........: 6042833 bytes
 ~~ total allocations/frees...: 121551/121551
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/tftp.pcap.out b/test/results/tftp.pcap.out
index aa75fa389..e69c5adcb 100644
--- a/test/results/tftp.pcap.out
+++ b/test/results/tftp.pcap.out
@@ -14,7 +14,7 @@
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":12,"thread_ts_usec":946730124846355,"pkt":"AFCN14tDAAu+GJpACABFAAAgAAEAAP8ROXTAqAD9wKgACsW6DXUADKpJAAQAAQAAAAAAAAAAAAAAAAAA"}
 01176{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":558,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":558,"pkt_l4_len":524,"thread_ts_usec":946730124846355,"pkt":"AAu+GJpAAFCN14tDCABFAAIgkycAAIARI07AqAAKwKgA\/Q11xboCDOXlAAMAAkIgT2ZmaWNpYWwgUHJvdG9jb2wKICAgU3RhbmRhcmRzIiBmb3IgdGhlIHN0YW5kYXJkaXphdGlvbiBzdGF0ZSBhbmQgc3RhdHVzIG9mIHRoaXMgcHJvdG9jb2wuCiAgIERpc3RyaWJ1dGlvbiBvZiB0aGlzIG1lbW8gaXMgdW5saW1pdGVkLgoKU3VtbWFyeQoKICAgVEZUUCBpcyBhIHZlcnkgc2ltcGxlIHByb3RvY29sIHVzZWQgdG8gdHJhbnNmZXIgZmlsZXMuICBJdCBpcyBmcm9tCiAgIHRoaXMgdGhhdCBpdHMgbmFtZSBjb21lcywgVHJpdmlhbCBGaWxlIFRyYW5zZmVyIFByb3RvY29sIG9yIFRGVFAuCiAgIEVhY2ggbm9udGVybWluYWwgcGFja2V0IGlzIGFja25vd2xlZGdlZCBzZXBhcmF0ZWx5LiAgVGhpcyBkb2N1bWVudAogICBkZXNjcmliZXMgdGhlIHByb3RvY29sIGFuZCBpdHMgdHlwZXMgb2YgcGFja2V0cy4gIFRoZSBkb2N1bWVudCBhbHNvCiAgIGV4cGxhaW5zIHRoZSByZWFzb25zIGJlaGluZCBzb21lIG9mIHRoZSBkZXNpZ24gZGVjaXNpb25zLgoKQWNrbm93bGVnZW1lbnRzCgogICBUaGUg"}
 00994{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":8,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
-01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":35,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":8256,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":60,"avg":309.0,"max":558,"stddev":249.0,"var":62001.0,"ent":4.5,"data": [558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
+01650{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":35,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":8256,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":60,"avg":309.0,"max":558,"stddev":249.0,"var":62001.0,"ent":4.5,"data": [558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}}
 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":101,"total-skipped-flows":0,"total-l4-payload-len":25039,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":18,"global_ts_usec":946733724846355}
 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946733724846355,"flow_src_last_pkt_time":946733724846355,"flow_dst_last_pkt_time":946733724846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":19,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":19,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946733724846355,"l3_proto":"ip4","src_ip":"172.28.4.53","dst_ip":"172.16.5.170","src_port":54627,"dst_port":69,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":946733724846355,"flow_dst_last_pkt_time":946733724846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":61,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":61,"pkt_l4_len":27,"thread_ts_usec":946733724846355,"pkt":"9Opn97JCCAAnntJbCABFAAAv+hlAAEAR3pisHAQ1rBAFqtVjAEUAGx52AAFzeXNtYW4ubGlzAG9jdGV0AA=="}
@@ -44,10 +44,10 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6048634 bytes
-~~ total memory freed........: 6048634 bytes
+~~ total memory allocated....: 6048606 bytes
+~~ total memory freed........: 6048606 bytes
 ~~ total allocations/frees...: 121656/121656
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1718 chars
-~~ json string avg len.......: 1102 chars
+~~ json string max len.......: 1655 chars
+~~ json string avg len.......: 1071 chars
diff --git a/test/results/threema.pcap.out b/test/results/threema.pcap.out
index e5dfc504f..75dd601a7 100644
--- a/test/results/threema.pcap.out
+++ b/test/results/threema.pcap.out
@@ -48,8 +48,8 @@
 ~~ total active/idle flows...: 6/6
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6058480 bytes
-~~ total memory freed........: 6058480 bytes
+~~ total memory allocated....: 6058456 bytes
+~~ total memory freed........: 6058456 bytes
 ~~ total allocations/frees...: 121626/121626
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/tinc.pcap.out b/test/results/tinc.pcap.out
index 6b5d183b2..25b3e3f44 100644
--- a/test/results/tinc.pcap.out
+++ b/test/results/tinc.pcap.out
@@ -20,8 +20,8 @@
 01002{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":53,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983428043218,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":724,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":724,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1495983428043218,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 02451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1495983428043268,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1486,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1486,"pkt_l4_len":1452,"thread_ts_usec":1495983428043268,"pkt":"ACbGCvpSABcILL3nCABFCAXAAABAADERhNO5U9pwg3KoG9lo2WgFrCCQQfVUKnrm4XUK3wfxxn8qlQ5ZlUxAsin94OmtvvCqeiNDv9hCgysXgIe\/Jwp6foEgyUgSLwbFE+jFX5EiTbzvLxw+eE+9kkIbIypcFMAA862am\/h5EhYX9oyZgZit\/ohLFdBZAd\/9piW+TIg1JYKUHUk24mSNhkzehqNGbaa8v1XNXvCAKUf+je80JL2ztiSjDNtOMrbTSNyuOyDQhbbpaRAakKCJ88rhmRVZWPpGUvSoCLUQLdy+ls4UP9VbLIv60yNlhG\/tIZF+Y9AgYJgNK7469NXCZUoHPgebmwGoSIBvEupGZ2HWMq5tD1YtSNLd5mdcZ4U6bdW57PJT8Mqpobu5nNKCEUTKU8fv54QllT27onCmdTrjSLU7i56qGCPKz8Pmgpd+4MU1sOXlteqk11G5kxvUePU9AHDMWVZcDsBw+8w6+Ab\/JxYo4ilYPsOkX7nL+VL0USjj5AuG8wFeeDnvZeQURQeN12MuZewRpRzkJa5jIqIQqHHvEIR3I+NlcYV0IJXsrpavQ6RSGtYmR7+94hoEShFxTK6D2mPtrdLiAqRfmJptPiSWLm5Mqo0iayfkgY6sd6M1vwIpwRPc0qQOtn1doDjup9IIauyzdANQF9x2voU4Z8dsvHyVyVE9VF\/Qdb\/Bbe15\/vrLpOF+cB00\/TXrJ07AVZHqEwel\/iScs2S9kgqiIjzb1T0G6y8xlHQV7ktrErMlC4GXnRqlxWayYa4G266nN6wc0wTy9MD7G5DpqxUPZwZIrxZiMHXc4mPXA210XTsNG7LVVQM581lStiGr1a4pUZOImjoO\/gk5frgMuu6jHFgEA+vJuy5sW5lQpb37IXQqFXKKxN2z8Ke+x4zy7ALHVigelzuNCf3HZfol1uD4eeP+2tpVITMiH4O5PCcLDMT1yYFhbvLg8pREkBITQB+rUBzFhHXEVteh6noPH6hIRkDIrLyfEHdswFs6MATwSlSxKkz0QuaSV8BEXCeHOM+JmmNRCgSmcHuzwrDdDGG7eSF7kzVOXV4KPQtBdbB4rq\/rFfGJFSiBXn2huFIeNdQhj4gFtDQIfYjXMsmhSsrScwjLj7C7jg2Rwm\/XuhfLgws3rBZC6s4ClAl8Lku7gDzAWOdYgK2FafJmEnZR3NXAFEI8JF5r5ITwwBATJADMcv7GO51VLOgFAuacu5w0kk1gxapzbHcSOdPeKJB+9voPecizTzqOKMuqIngnpb\/qfLXWqnLz7U6\/\/ui4aHgWF+lKp0xsjiPYD9YnVxFJE08oruybimAl5F4KHctwad6wrnqDh7AMDE3spgEO04z6pL2VZXL\/wvq6pxHL80kORMsGZgPOmyHtPCRE5Jd+RFgmwBejwRrNJFCuLc2P622GjZ1t\/hPuud14khvjnfHdyfKsl19iLyzwv7qu0oEoiwBrYf06g7MzcULZl4XUxJNSE9RYU15rJmRxguh4eXuIOqgIqrfkbI\/\/vDyBWYyc45utTloDIm+GnDiAeigtPF4FijLPE9qVDfQilPuHMnf6UDvllbgNqo19g3gnmLroqXep+7LyRYp4sWr4\/d\/TZKaCucaaCwVm1u\/1te\/n+aOftes5xygxK+OaKehbJ47nnj4GJRcueg7KFHNq2ES0Uj1Rh2+lhguZLWYwLh4\/FPK0vdBcca9l29F4kxSaDHn6BeoZpX+wivGn5jMTbID2EPugYpELm+yXQDHU1W7JBJkdRRhJfBWIKo8UZofXK4qgL2\/MqCqF2T2\/hEjt9sAO7DVGx2T23++65+kzCDH2qiAfrQdQFlN08V17FGkydmcJibPSSbSe7aLjPjiXuGdc7ip\/LMmiTS0sCJq6zHCBk5aHilHCEqmTl+eL9Q9vwrMeAdX+cTIhD7xTxK6aeGzriTEJFQi6+ZDkO2+SfJZlZhRSLhc55JEaOH4LdN2VABhAfw=="}
 01734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1495983428043295,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":958,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":958,"pkt_l4_len":924,"thread_ts_usec":1495983428043295,"pkt":"ACbGCvpSABcILL3nCABFCAOwAABAADERhuO5U9pwg3KoG9lo2WgDnO+CxkvMU5czu375VqRfqLEu7HGryDGh\/bfeaQJnEYyovrmntDxt74C8PKQJMHvY4MA1ZHuHhnLJLLc7h764zEbGLw\/vzqsaP4XOJmX3J5ZoXTmAMsXnjvJUPqVeWdg0PXJhqa6st9hNynxv5D0rpJqm0\/zV192qcE59jCUVvmB8PfyMGzNb8iu7j79YvIHCzFHzmycvx5sIdKuzv+9aaD2+9O1fWAuPwq8\/8DIg8DeQB7htbL3\/j6lwDGupSOVHCsI1+lYyNr8A5\/OFujJsJCBzKGXQVn+oJRoQMsFgr0giRTOfhVQb+GlZOLXTcVvxl6mNiWSoDQXoxAfPuixrlp8F\/MUrFtVqJYJIqlWUSZ0FHJzKiXJ5yQvwNmnsvYHqMQNW6ZCn++1tGEto8r5tq\/BDe0FvMAOQC\/Iq49d9xjtHRJaZkPSuUT0Ue8\/0Y0g7e7MLBCNRDp3pFvP\/SDROeSBv+1Hrsd3VgZ3eZsdET6SE7O+jiB1npy8XRuCERu\/h5FlX8FbvbKHJP4IXbapoGYosv9tEU2XONo65wz3MCF\/bVbrUPcOASb6j+c55C5rFZMKjA9llC2lki+5ox8NX3C0rsVb9ezbzAq4pvwBxx6yeMVlmBhRxjwXLWviN6bjb8+kKUMxdeqvtFZ90hWLG3av8x5N1D1shhjp\/Pkh3vfzESwJoedvps7xxuR16c9ku4Rlje1SzPbiXWLLd2ctB3NoWHVeTFrvLRU2yqM5LNXQpjLOWYVqndimokWzm3PvfsX2+ickLKvqhiNB8NMbCQKKllVtQtaf37M0W3hxij8fNqkfQ3Dwvv36xYQY6aA2cxZJ7cAJfgWt3+2IqzsbQ\/hOa1lDnl8uliASJ4hjXOWhi4prZ86H1uoSeDR53SAlBdMQQ3YoaLSv6kQQOXAUwHuZQi7+x\/RE5HfoAvVeNzG90OcOnL2uiCxjhyp3\/swc9NGfoqhpvTPlS\/HF6E4gzQu+uwm3Kmj7AsKixik3ciIBb6VqLoyiaQR35wKSQydm3qyc2A8RxVwJEHM9ChZNid+PGF9MC3cdjsTP6IG4AOw3VS8jLQznT38vyJvgWelWwQ+I9gJ2zh8MbfaLP+EWNQPI478wMYlCsuyg5uNNDg0lSF1epToqo6+lky+h2nAa21hKOviRtVRN8LV88QPWbYJx4n3gM4sg9yVPde6y+bdl\/hYGe1J5JIAW7OGyTqN+C43dvapKXMw=="}
-01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":104,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983431160747,"flow_dst_last_pkt_time":1495983430158623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19148,"flow_dst_tot_l4_payload_len":16284,"midstream":0,"thread_ts_usec":1495983431160747,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":171568.9,"max":1069532,"stddev":377387.1,"var":142420983808.0,"ent":2.5,"data": [157,27472,47,25,27522,244,68,237,181,126,15445,30,41839,33,23,1057953,304,258,1003680,53,1840,184,45315,102,25,1024085,82,1069532,137,1001358,279,0]},"pktlen": {"min":190,"avg":1149.2,"max":1510,"stddev":450.4,"var":202833.5,"ent":4.9,"data": [686,734,238,1486,782,230,1270,190,1310,1478,774,686,734,1278,190,1310,1358,1478,1374,1486,1502,1486,1494,1358,1486,1374,1502,1502,1502,1494,1510,1494]},"bins": {"c_to_s": [0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0],"s_to_c": [0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0]},"directions": [0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
-01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983432571150,"flow_dst_last_pkt_time":1495983432526055,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":10944,"flow_dst_tot_l4_payload_len":20512,"midstream":0,"thread_ts_usec":1495983432571150,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":290670.0,"max":2412459,"stddev":558680.6,"var":312123949056.0,"ent":2.9,"data": [50,27,594,482,207,142,1049148,39,24,1048033,86,239,119,120,91,44079,43,25,1044735,279,1021999,20586,1001463,275,241,363633,1001240,149,123,2412459,39,0]},"pktlen": {"min":118,"avg":1025.0,"max":1494,"stddev":450.3,"var":202783.0,"ent":4.8,"data": [766,1486,958,734,1270,1486,958,1070,670,334,1062,190,1310,526,670,334,190,1310,526,1478,1374,1374,1374,1486,1350,1318,118,1494,1478,1342,1390,1374]},"bins": {"c_to_s": [0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0],"s_to_c": [0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":104,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983431160747,"flow_dst_last_pkt_time":1495983430158623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19148,"flow_dst_tot_l4_payload_len":16284,"midstream":0,"thread_ts_usec":1495983431160747,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":171568.9,"max":1069532,"stddev":377387.1,"var":142420983808.0,"ent":2.5,"data": [157,27472,47,25,27522,244,68,237,181,126,15445,30,41839,33,23,1057953,304,258,1003680,53,1840,184,45315,102,25,1024085,82,1069532,137,1001358,279]},"pktlen": {"min":190,"avg":1149.2,"max":1510,"stddev":450.4,"var":202833.5,"ent":4.9,"data": [686,734,238,1486,782,230,1270,190,1310,1478,774,686,734,1278,190,1310,1358,1478,1374,1486,1502,1486,1494,1358,1486,1374,1502,1502,1502,1494,1510,1494]},"bins": {"c_to_s": [0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0],"s_to_c": [0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0]},"directions": [0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983432571150,"flow_dst_last_pkt_time":1495983432526055,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":10944,"flow_dst_tot_l4_payload_len":20512,"midstream":0,"thread_ts_usec":1495983432571150,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":290670.0,"max":2412459,"stddev":558680.6,"var":312123949056.0,"ent":2.9,"data": [50,27,594,482,207,142,1049148,39,24,1048033,86,239,119,120,91,44079,43,25,1044735,279,1021999,20586,1001463,275,241,363633,1001240,149,123,2412459,39]},"pktlen": {"min":118,"avg":1025.0,"max":1494,"stddev":450.3,"var":202783.0,"ent":4.8,"data": [766,1486,958,734,1270,1486,958,1070,670,334,1062,190,1310,526,670,334,190,1310,526,1478,1374,1374,1374,1486,1350,1318,118,1494,1478,1342,1390,1374]},"bins": {"c_to_s": [0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0],"s_to_c": [0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01042{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":13,"flow_first_seen":1495983427744301,"flow_src_last_pkt_time":1495983475109122,"flow_dst_last_pkt_time":1495983475109062,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1039,"flow_dst_max_l4_payload_len":1037,"flow_src_tot_l4_payload_len":3036,"flow_dst_tot_l4_payload_len":2354,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":49290,"dst_port":55656,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01055{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":101,"flow_dst_packets_processed":29,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983470930418,"flow_dst_last_pkt_time":1495983470973187,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":132724,"flow_dst_tot_l4_payload_len":31332,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01056{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":105,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983463866065,"flow_dst_last_pkt_time":1495983463817214,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":116,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1468,"flow_src_tot_l4_payload_len":28820,"flow_dst_tot_l4_payload_len":135316,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}}
@@ -35,8 +35,8 @@
 ~~ total active/idle flows...: 4/4
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6054046 bytes
-~~ total memory freed........: 6054046 bytes
+~~ total memory allocated....: 6054030 bytes
+~~ total memory freed........: 6054030 bytes
 ~~ total allocations/frees...: 121844/121844
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/tk.pcap.out b/test/results/tk.pcap.out
index 23b89680d..9d35b8827 100644
--- a/test/results/tk.pcap.out
+++ b/test/results/tk.pcap.out
@@ -27,8 +27,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6039075 bytes
-~~ total memory freed........: 6039075 bytes
+~~ total memory allocated....: 6039063 bytes
+~~ total memory freed........: 6039063 bytes
 ~~ total allocations/frees...: 121513/121513
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 487 chars
diff --git a/test/results/tls-appdata.pcap.out b/test/results/tls-appdata.pcap.out
index 31b2430c7..bafe24e2e 100644
--- a/test/results/tls-appdata.pcap.out
+++ b/test/results/tls-appdata.pcap.out
@@ -12,7 +12,7 @@
 00870{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288722000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1472,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288724000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitch","proto_id":"91.195","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288737000,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1643610288737000,"pkt":"YDjgxTWgeJS0JASgCABFAAAoJklAADkGXZQ038YHwKgCZAG75mCdFTAgOSeK4VAQCRZvcQAAAAAAAAAA"}
 00765{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":31,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642636825083000,"flow_src_last_pkt_time":1642636825195000,"flow_dst_last_pkt_time":1642636825303000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":135,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":429,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288741000,"l3_proto":"ip4","src_ip":"179.60.195.173","dst_ip":"192.168.2.100","src_port":443,"dst_port":60636,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
-01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":2458615.5,"max":15956000,"stddev":5752110.0,"var":33086771298304.0,"ent":1.0,"data": [2000,15000,3000,16000,1000,1000,15941000,1000,15956000,5000,19000,1000,1000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"pktlen": {"min":54,"avg":1143.2,"max":2958,"stddev":1252.1,"var":1567845.5,"ent":4.0,"data": [1506,74,60,1506,2958,54,2958,54,54,2958,2885,54,54,54,54,1506,74,60,1506,2958,54,2958,54,2958,1506,74,60,1506,2958,54,2958,54]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9]},"directions": [0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0]}}
+01514{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":2458615.5,"max":15956000,"stddev":5752110.0,"var":33086771298304.0,"ent":1.0,"data": [2000,15000,3000,16000,1000,1000,15941000,1000,15956000,5000,19000,1000,1000]},"pktlen": {"min":54,"avg":1143.2,"max":2958,"stddev":1252.1,"var":1567845.5,"ent":4.0,"data": [1506,74,60,1506,2958,54,2958,54,54,2958,2885,54,54,54,54,1506,74,60,1506,2958,54,2958,54,2958,1506,74,60,1506,2958,54,2958,54]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9]},"directions": [0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0]}}
 00887{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitch","proto_id":"91.195","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}}
 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":46,"source":"tls-appdata.pcap","alias":"nDPId-test","packets-captured":46,"packets-processed":45,"total-skipped-flows":0,"total-l4-payload-len":41014,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1643611942615000}
 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":76,"source":"tls-appdata.pcap","alias":"nDPId-test","packets-captured":76,"packets-processed":75,"total-skipped-flows":0,"total-l4-payload-len":70000,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":18,"global_ts_usec":1643612754900000}
@@ -27,8 +27,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6081676 bytes
-~~ total memory freed........: 6081676 bytes
+~~ total memory allocated....: 6081668 bytes
+~~ total memory freed........: 6081668 bytes
 ~~ total allocations/frees...: 121624/121624
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 496 chars
diff --git a/test/results/tls-esni-fuzzed.pcap.out b/test/results/tls-esni-fuzzed.pcap.out
index 52d8e6c9c..e802c13c0 100644
--- a/test/results/tls-esni-fuzzed.pcap.out
+++ b/test/results/tls-esni-fuzzed.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6046428 bytes
-~~ total memory freed........: 6046428 bytes
+~~ total memory allocated....: 6046416 bytes
+~~ total memory freed........: 6046416 bytes
 ~~ total allocations/frees...: 121521/121521
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/tls-rdn-extract.pcap.out b/test/results/tls-rdn-extract.pcap.out
index 434618e67..196d746c3 100644
--- a/test/results/tls-rdn-extract.pcap.out
+++ b/test/results/tls-rdn-extract.pcap.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6079620 bytes
-~~ total memory freed........: 6079620 bytes
+~~ total memory allocated....: 6079616 bytes
+~~ total memory freed........: 6079616 bytes
 ~~ total allocations/frees...: 121546/121546
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/tls_2_reasms.pcapng.out b/test/results/tls_2_reasms.pcapng.out
index 00fe90291..cac5b82ce 100644
--- a/test/results/tls_2_reasms.pcapng.out
+++ b/test/results/tls_2_reasms.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040188 bytes
-~~ total memory freed........: 6040188 bytes
+~~ total memory allocated....: 6040184 bytes
+~~ total memory freed........: 6040184 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 499 chars
diff --git a/test/results/tls_2_reasms_b.pcapng.out b/test/results/tls_2_reasms_b.pcapng.out
index 6f156a3cd..ba4d36256 100644
--- a/test/results/tls_2_reasms_b.pcapng.out
+++ b/test/results/tls_2_reasms_b.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6076610 bytes
-~~ total memory freed........: 6076610 bytes
+~~ total memory allocated....: 6076606 bytes
+~~ total memory freed........: 6076606 bytes
 ~~ total allocations/frees...: 121512/121512
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 501 chars
diff --git a/test/results/tls_alert.pcap.out b/test/results/tls_alert.pcap.out
index 354b507b5..78fe87230 100644
--- a/test/results/tls_alert.pcap.out
+++ b/test/results/tls_alert.pcap.out
@@ -22,8 +22,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043991 bytes
-~~ total memory freed........: 6043991 bytes
+~~ total memory allocated....: 6043983 bytes
+~~ total memory freed........: 6043983 bytes
 ~~ total allocations/frees...: 121520/121520
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/tls_certificate_too_long.pcap.out b/test/results/tls_certificate_too_long.pcap.out
index 089373674..6c0207904 100644
--- a/test/results/tls_certificate_too_long.pcap.out
+++ b/test/results/tls_certificate_too_long.pcap.out
@@ -123,8 +123,8 @@
 02205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1626168078674936,"flow_dst_last_pkt_time":1626168078673880,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1292,"pkt_l4_len":1258,"thread_ts_usec":1626168078674936,"pkt":"WNVuaKQA8BiYFWV8CABFAgT+AABAAEAGnGLAqAF5NGKjEtC0AbvnBmXsyo5yyVAYEACH9AAAFwMDBNEAAAAAAAAA3P9mE\/WxzRlzhJVvrME7arSt4cc4b80\/fLZ45lg2jTLN+h8OznVOp0v0YJHlvGb6zo1R0y0127nCMLhWICtDPy2FtY028GLgaBdr\/YLaP88jpPC2wcimHwfty2x4WKI+LPeYoEPRAYicmmTAxPlFzZuaf1iKs+Yu1pMdI4311+rTrqclcjjttiygU+MPtoh4rbcQQi4hllQZ9bpYWoVqJ+iSt2BigYH05vsyHmu879GAhVkohrBF89b4NLKyNAMo0\/QxqgG1rqZTGisx7FjNs8y8uxtw5iKWrSpnhwqsK8HdkzdODGF90yeLdn3CCNJgdm3aNHt1MWZ4JOUy5GzAb47y2cy051il96yYxnPjPoqHZ+sb8GqydD+Wdtw8hwTtkDW7xa7mACJTwuWOIU79l2oDnl63ylL8+JOFMkvCyqpvRSJQTp84k5efBKX3KzQjur4Xu79lO0LFF2NRDD6HkdNIzdZ6GrjQ6cfeKSx84X\/NzyeoBGfExOO\/4zYWpKYV5emN2qK2WwFz9V6yUT4FYCEpMENn4zKRUt2gX3+QJ3UggRDfQ8Atlul6XoqofW\/JfCf+PszhgtXLpc9QxVs3UVfeC+BCBsI\/evJsy+X2zvUBACJp1Cao7EAa\/un53A8cu1w+QQ\/3\/qpgFcwuebDk+bTd2XwEmQcRY5ntXb11cm+t6EgiuWMc8LtkZLW4g6Qk7C3exETENqr8qaKtA57iz69EbEaWfUTp590Cm1yhdVWnzQVccpyZRGULka\/D5PTiR6o3UCqpNAg8I43q9sRPGdaOzmk6LqC8kGMMj1N8P2DVYvcwJb3HB14BO5Blfb4kQNaSZCX81P5eekubMcrCkaYeLnnSigA4c2KBCJI0\/apWCuj0F93qKZChgzKT77EQe9PNeEwH9qa2yEnfxe42M9M\/dR+ZqezhwWXFtPpr0H\/z1rdkNoyBVAssfrasWrQx8flrDgnBIYD1460XCzVYLXxrhZgLoJb3EnAJ7vXCxsY0pXppBEZDDdim91oHmoHdPCYl0He7JYRSbPjtQSoUoTzcJp7PxKyOdGVLYBgNJz7zY+ZgHgZgGwjl0V0nqegEjC35a9y8SnKE63ljmDCyN8pWus5ViXGLvQ2Q\/1YgRAjjfufkIFVVjlXa01yHVzB76HDZ1tJk9CCm9ap34gzfAiHToNIXmogCeGqn2CdKyBeaiMSGkpYWcPn2x5217jPoRlFNQrlxxA+bM2VQvFdzsWSjAthvEYT8M0NKxSkvF5fH3eNJZYaUGLIiBrgIGbm4pAM\/x0xPOGKmtUmoLltnDzmkCbUcHYiWy3Y7nJHL865N2SK80a9Zp+7VINzLRf\/Ervx7NR7ytI7hPsERS2gR+t5ngZO4VMBVWlnWrW+Q0k4Q1KqCHh7RRwRxv5sH62zb+RmG6I1XbjkIiH\/fDv5F+LoUplAhBWHtQdc4gcY6R330O9wWahGV3oVm2bRxt8RZJJruLD1DYhwwT99J89GgAfYqHkYbcpYCi6LHqYqrQ6UmOTNERlSpwcXx4Ujj\/ftQuU3MAdSrHpDwvlJG8V3434OyaQQ78dblNHDOqOcIm3UL5vFVeeu11Ar10lwqpNk+NFgn+2DriZe1BIfTkQZAL4Pitnn2QjlLKFQ="}
 00653{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1626168078654016,"flow_dst_last_pkt_time":1626168078676716,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":147,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":147,"pkt_l4_len":113,"thread_ts_usec":1626168078676716,"pkt":"8BiYFWV8WNVuaKQACABFAACFmUUAAHgR1vEICAgIwKgBeQA1yx4AcZEiotGBgAABAAEAAAAAAzIzNQIzMwIyMgEyB2luLWFkZHIEYXJwYQAADAABwAwADAABAABT5QAzDGEyLTIyLTMzLTIzNQZkZXBsb3kGc3RhdGljEmFrYW1haXRlY2hub2xvZ2llcwNjb20A"}
 01035{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1626168078653044,"flow_src_last_pkt_time":1626168078654016,"flow_dst_last_pkt_time":1626168078676716,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":105,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":105,"midstream":0,"thread_ts_usec":1626168078676716,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"235.33.22.2.in-addr.arpa","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}}}
-01669{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":155,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1626168078673569,"flow_src_last_pkt_time":1626168078741395,"flow_dst_last_pkt_time":1626168078741532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1318,"flow_src_tot_l4_payload_len":6192,"flow_dst_tot_l4_payload_len":5635,"midstream":1,"thread_ts_usec":1626168078741532,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4849.6,"max":66556,"stddev":14734.4,"var":217103472.0,"ent":1.7,"data": [1268,1,22712,2791,42219,7,1,1,2,1,1,3,1,2,1,1,1,1,2,1,1,1,66556,1,207,4,1,1,0,0,0,0]},"pktlen": {"min":54,"avg":423.6,"max":1502,"stddev":443.8,"var":196953.1,"ent":4.4,"data": [1502,936,1502,1502,1020,54,54,1372,166,112,269,281,285,281,267,273,287,273,275,275,271,281,273,283,273,114,54,54,254,275,341,96]},"bins": {"c_to_s": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
-01696{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":182,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1626168078673880,"flow_src_last_pkt_time":1626168078802752,"flow_dst_last_pkt_time":1626168078815501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1312,"flow_src_tot_l4_payload_len":8443,"flow_dst_tot_l4_payload_len":4308,"midstream":1,"thread_ts_usec":1626168078815501,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8725.6,"max":48024,"stddev":14356.9,"var":206121952.0,"ent":3.3,"data": [1,1055,23210,47617,37039,8,1,2,1,1,11720,448,454,9939,10211,1,619,25332,48024,32224,8,8662,433,9,3,3,2,1,2,508,12955,0]},"pktlen": {"min":54,"avg":453.2,"max":1502,"stddev":490.6,"var":240677.5,"ent":4.2,"data": [1502,936,1292,54,1292,1366,189,273,452,96,99,54,88,54,66,1502,935,708,54,708,1003,445,54,193,253,295,137,96,99,88,54,66]},"bins": {"c_to_s": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0],"s_to_c": [4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
+01661{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":155,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1626168078673569,"flow_src_last_pkt_time":1626168078741395,"flow_dst_last_pkt_time":1626168078741532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1318,"flow_src_tot_l4_payload_len":6192,"flow_dst_tot_l4_payload_len":5635,"midstream":1,"thread_ts_usec":1626168078741532,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4849.6,"max":66556,"stddev":14734.4,"var":217103472.0,"ent":1.7,"data": [1268,1,22712,2791,42219,7,1,1,2,1,1,3,1,2,1,1,1,1,2,1,1,1,66556,1,207,4,1,1]},"pktlen": {"min":54,"avg":423.6,"max":1502,"stddev":443.8,"var":196953.1,"ent":4.4,"data": [1502,936,1502,1502,1020,54,54,1372,166,112,269,281,285,281,267,273,287,273,275,275,271,281,273,283,273,114,54,54,254,275,341,96]},"bins": {"c_to_s": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
+01694{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":182,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1626168078673880,"flow_src_last_pkt_time":1626168078802752,"flow_dst_last_pkt_time":1626168078815501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1312,"flow_src_tot_l4_payload_len":8443,"flow_dst_tot_l4_payload_len":4308,"midstream":1,"thread_ts_usec":1626168078815501,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8725.6,"max":48024,"stddev":14356.9,"var":206121952.0,"ent":3.3,"data": [1,1055,23210,47617,37039,8,1,2,1,1,11720,448,454,9939,10211,1,619,25332,48024,32224,8,8662,433,9,3,3,2,1,2,508,12955]},"pktlen": {"min":54,"avg":453.2,"max":1502,"stddev":490.6,"var":240677.5,"ent":4.2,"data": [1502,936,1292,54,1292,1366,189,273,452,96,99,54,88,54,66,1502,935,708,54,708,1003,445,54,193,253,295,137,96,99,88,54,66]},"bins": {"c_to_s": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0],"s_to_c": [4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}}
 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1626168079158693,"flow_src_last_pkt_time":1626168079158693,"flow_dst_last_pkt_time":1626168079158693,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1626168079158693,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_src_last_pkt_time":1626168079158693,"flow_dst_last_pkt_time":1626168079158693,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1626168079158693,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KaAbvsuitsAAAAALAC\/\/8ZDgAAAgQFtAEDAwYBAQgKPdH+3gAAAAAEAgAA"}
 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":237,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1626168079191811,"flow_src_last_pkt_time":1626168079191811,"flow_dst_last_pkt_time":1626168079191811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1626168079191811,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -224,8 +224,8 @@
 ~~ total active/idle flows...: 35/35
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6219665 bytes
-~~ total memory freed........: 6219665 bytes
+~~ total memory allocated....: 6219525 bytes
+~~ total memory freed........: 6219525 bytes
 ~~ total allocations/frees...: 122271/122271
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 509 chars
diff --git a/test/results/tls_cipher_lens.pcap.out b/test/results/tls_cipher_lens.pcap.out
index 47e749730..16c7cda4b 100644
--- a/test/results/tls_cipher_lens.pcap.out
+++ b/test/results/tls_cipher_lens.pcap.out
@@ -29,8 +29,8 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6052572 bytes
-~~ total memory freed........: 6052572 bytes
+~~ total memory allocated....: 6052552 bytes
+~~ total memory freed........: 6052552 bytes
 ~~ total allocations/frees...: 121542/121542
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 500 chars
diff --git a/test/results/tls_esni_sni_both.pcap.out b/test/results/tls_esni_sni_both.pcap.out
index ac32f4894..014faafe6 100644
--- a/test/results/tls_esni_sni_both.pcap.out
+++ b/test/results/tls_esni_sni_both.pcap.out
@@ -23,8 +23,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6061025 bytes
-~~ total memory freed........: 6061025 bytes
+~~ total memory allocated....: 6061017 bytes
+~~ total memory freed........: 6061017 bytes
 ~~ total allocations/frees...: 121551/121551
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 502 chars
diff --git a/test/results/tls_false_positives.pcapng.out b/test/results/tls_false_positives.pcapng.out
index 06239032f..f45e3c26b 100644
--- a/test/results/tls_false_positives.pcapng.out
+++ b/test/results/tls_false_positives.pcapng.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038563 bytes
-~~ total memory freed........: 6038563 bytes
+~~ total memory allocated....: 6038559 bytes
+~~ total memory freed........: 6038559 bytes
 ~~ total allocations/frees...: 121518/121518
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 506 chars
diff --git a/test/results/tls_invalid_reads.pcap.out b/test/results/tls_invalid_reads.pcap.out
index f32b2e22e..4f38a0780 100644
--- a/test/results/tls_invalid_reads.pcap.out
+++ b/test/results/tls_invalid_reads.pcap.out
@@ -29,8 +29,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6043684 bytes
-~~ total memory freed........: 6043684 bytes
+~~ total memory allocated....: 6043676 bytes
+~~ total memory freed........: 6043676 bytes
 ~~ total allocations/frees...: 121510/121510
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 203 chars
diff --git a/test/results/tls_long_cert.pcap.out b/test/results/tls_long_cert.pcap.out
index 8060373e3..ca2a8bd31 100644
--- a/test/results/tls_long_cert.pcap.out
+++ b/test/results/tls_long_cert.pcap.out
@@ -7,7 +7,7 @@
 01108{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078058827,"flow_dst_last_pkt_time":1553619078058439,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1553619078058827,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01168{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078058827,"flow_dst_last_pkt_time":1553619078091883,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1553619078091883,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 02634{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078093048,"flow_dst_last_pkt_time":1553619078093749,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4096,"midstream":0,"thread_ts_usec":1553619078093749,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","server_names":"www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018","subjectDN":"C=IT, ST=Roma, L=Roma, O=GEDI Digital S.r.l., CN=www.repstatic.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1"}}}
-01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078157096,"flow_dst_last_pkt_time":1553619078157742,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1610,"flow_dst_tot_l4_payload_len":13760,"midstream":0,"thread_ts_usec":1553619078157742,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8011.5,"max":34221,"stddev":11402.3,"var":130012760.0,"ent":3.6,"data": [25199,25284,303,30105,3339,1074,34221,792,742,1850,1850,782,8352,423,28143,18603,6453,607,7069,119,26007,3,43,25894,1,59,186,154,696,4,1,0]},"pktlen": {"min":66,"avg":546.9,"max":1514,"stddev":584.9,"var":342142.3,"ent":4.2,"data": [78,74,66,583,66,1514,1514,66,1266,66,855,66,192,159,902,308,66,66,143,66,104,1119,1119,1514,66,66,66,724,66,1514,1514,1514]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01688{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078157096,"flow_dst_last_pkt_time":1553619078157742,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1610,"flow_dst_tot_l4_payload_len":13760,"midstream":0,"thread_ts_usec":1553619078157742,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8011.5,"max":34221,"stddev":11402.3,"var":130012760.0,"ent":3.6,"data": [25199,25284,303,30105,3339,1074,34221,792,742,1850,1850,782,8352,423,28143,18603,6453,607,7069,119,26007,3,43,25894,1,59,186,154,696,4,1]},"pktlen": {"min":66,"avg":546.9,"max":1514,"stddev":584.9,"var":342142.3,"ent":4.2,"data": [78,74,66,583,66,1514,1514,66,1266,66,855,66,192,159,902,308,66,66,143,66,104,1119,1119,1514,66,66,66,724,66,1514,1514,1514]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":86,"flow_dst_packets_processed":96,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619149347313,"flow_dst_last_pkt_time":1553619149372363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2858,"flow_dst_tot_l4_payload_len":102711,"midstream":0,"thread_ts_usec":1553619149372363,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","packets-captured":182,"packets-processed":182,"total-skipped-flows":0,"total-l4-payload-len":105569,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1553619149372363}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -18,8 +18,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6083809 bytes
-~~ total memory freed........: 6083809 bytes
+~~ total memory allocated....: 6083805 bytes
+~~ total memory freed........: 6083805 bytes
 ~~ total allocations/frees...: 121732/121732
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/tls_missing_ch_frag.pcap.out b/test/results/tls_missing_ch_frag.pcap.out
index 8a034402a..7e0832a80 100644
--- a/test/results/tls_missing_ch_frag.pcap.out
+++ b/test/results/tls_missing_ch_frag.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047892 bytes
-~~ total memory freed........: 6047892 bytes
+~~ total memory allocated....: 6047888 bytes
+~~ total memory freed........: 6047888 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/tls_multiple_synack_different_seq.pcapng.out b/test/results/tls_multiple_synack_different_seq.pcapng.out
index 61d1d901c..d2f3b6a94 100644
--- a/test/results/tls_multiple_synack_different_seq.pcapng.out
+++ b/test/results/tls_multiple_synack_different_seq.pcapng.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6055703 bytes
-~~ total memory freed........: 6055703 bytes
+~~ total memory allocated....: 6055699 bytes
+~~ total memory freed........: 6055699 bytes
 ~~ total allocations/frees...: 121520/121520
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 520 chars
diff --git a/test/results/tls_port_80.pcapng.out b/test/results/tls_port_80.pcapng.out
index d859626ac..d2e3d0780 100644
--- a/test/results/tls_port_80.pcapng.out
+++ b/test/results/tls_port_80.pcapng.out
@@ -16,8 +16,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6040231 bytes
-~~ total memory freed........: 6040231 bytes
+~~ total memory allocated....: 6040227 bytes
+~~ total memory freed........: 6040227 bytes
 ~~ total allocations/frees...: 121507/121507
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/tls_torrent.pcapng.out b/test/results/tls_torrent.pcapng.out
index 341ededcc..c8872aac8 100644
--- a/test/results/tls_torrent.pcapng.out
+++ b/test/results/tls_torrent.pcapng.out
@@ -17,8 +17,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6052430 bytes
-~~ total memory freed........: 6052430 bytes
+~~ total memory allocated....: 6052426 bytes
+~~ total memory freed........: 6052426 bytes
 ~~ total allocations/frees...: 121504/121504
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/tls_verylong_certificate.pcap.out b/test/results/tls_verylong_certificate.pcap.out
index bb86bdbad..a8ecd82f3 100644
--- a/test/results/tls_verylong_certificate.pcap.out
+++ b/test/results/tls_verylong_certificate.pcap.out
@@ -7,7 +7,7 @@
 01055{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908469342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578254908475203,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 01115{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908490162,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1578254908490162,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}}
 03803{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908490465,"flow_dst_last_pkt_time":1578254908490567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5472,"midstream":0,"thread_ts_usec":1578254908490567,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}}
-01558{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4559.7,"max":21714,"stddev":6622.1,"var":43852844.0,"ent":3.5,"data": [11591,11712,5740,17683,3137,204,15209,67,53,134,2,140,10611,21714,11194,334,14931,21,2,14564,19,7,256,346,4,564,2,480,517,112,2,0]},"pktlen": {"min":66,"avg":532.6,"max":1434,"stddev":615.3,"var":378610.9,"ent":4.1,"data": [78,74,66,583,66,1434,1434,66,1434,66,1434,276,66,192,117,66,236,1434,1434,118,66,66,66,1434,1434,118,66,66,1434,66,1434,118]},"bins": {"c_to_s": [12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1]}}
+01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4559.7,"max":21714,"stddev":6622.1,"var":43852844.0,"ent":3.5,"data": [11591,11712,5740,17683,3137,204,15209,67,53,134,2,140,10611,21714,11194,334,14931,21,2,14564,19,7,256,346,4,564,2,480,517,112,2]},"pktlen": {"min":66,"avg":532.6,"max":1434,"stddev":615.3,"var":378610.9,"ent":4.1,"data": [78,74,66,583,66,1434,1434,66,1434,66,1434,276,66,192,117,66,236,1434,1434,118,66,66,66,1434,1434,118,66,66,1434,66,1434,118]},"bins": {"c_to_s": [12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1]}}
 03806{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}}
 00918{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":24,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908551114,"flow_dst_last_pkt_time":1578254908551079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":844,"flow_dst_tot_l4_payload_len":18233,"midstream":0,"thread_ts_usec":1578254908551114,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media"}}
 00577{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","packets-captured":48,"packets-processed":48,"total-skipped-flows":0,"total-l4-payload-len":19077,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1578254908551114}
@@ -19,8 +19,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6211364 bytes
-~~ total memory freed........: 6211364 bytes
+~~ total memory allocated....: 6211360 bytes
+~~ total memory freed........: 6211360 bytes
 ~~ total allocations/frees...: 121673/121673
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 509 chars
diff --git a/test/results/toca-boca.pcap.out b/test/results/toca-boca.pcap.out
index e9356e895..6ee9284c6 100644
--- a/test/results/toca-boca.pcap.out
+++ b/test/results/toca-boca.pcap.out
@@ -116,8 +116,8 @@
 ~~ total active/idle flows...: 21/21
 ~~ total timeout flows.......: 3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6070438 bytes
-~~ total memory freed........: 6070438 bytes
+~~ total memory allocated....: 6070354 bytes
+~~ total memory freed........: 6070354 bytes
 ~~ total allocations/frees...: 121764/121764
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/tor.pcap.out b/test/results/tor.pcap.out
index 241dfcb27..13e921498 100644
--- a/test/results/tor.pcap.out
+++ b/test/results/tor.pcap.out
@@ -71,8 +71,8 @@
 00692{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":105,"source":"tor.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1383821703288336,"flow_dst_last_pkt_time":1383821673254958,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1383821703288336,"pkt":"\/\/\/\/\/\/\/\/UlQAwqwfCABFAACsAABAAEARtfDAqAEBwKgB\/0RcRFwAmDDeeyJob3N0X2ludCI6IDY3Njg3OTk3NiwgInZlcnNpb24iOiBbMSwgOF0sICJkaXNwbGF5bmFtZSI6ICI2NzY4Nzk5NzYiLCAicG9ydCI6IDE3NTAwLCAibmFtZXNwYWNlcyI6IFsxNjc4NDEyMTYsIDE4MTA4Mzk2OCwgMTgxMDgwMzI0LCAyOTU0NDE3M119"}
 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":111,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821704212955}
 00348{"packet_event_id":1,"packet_event_name":"packet","packet_id":111,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821703723048,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
-02130{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":117,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821668403824,"flow_src_last_pkt_time":1383821704424659,"flow_dst_last_pkt_time":1383821704566665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4598,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383821704566665,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":113,"avg":2328505.8,"max":31166013,"stddev":7549668.5,"var":56997495963648.0,"ent":1.9,"data": [143824,144206,386,152663,157,159633,171698,164686,190851,113,190713,627,185098,185495,145105,5747,151688,184201,104686,289985,146556,2535956,2930532,30770666,31166013,871,147027,185685,696487,885191,147130,0]},"pktlen": {"min":54,"avg":369.8,"max":1514,"stddev":354.9,"var":125974.5,"ent":4.3,"data": [66,66,60,278,54,983,252,113,128,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]},"bins": {"c_to_s": [4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}}
-01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":124,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821704889950,"flow_dst_last_pkt_time":1383821704958016,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3939,"flow_dst_tot_l4_payload_len":9093,"midstream":0,"thread_ts_usec":1383821704958016,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":2548633.8,"max":37995839,"stddev":9273754.0,"var":86002509021184.0,"ent":1.4,"data": [70996,71325,6669,104314,10783,112643,88567,84606,73691,120,73665,754,108431,107711,67797,2260,74630,103567,101811,113368,368689,686539,37720424,37995839,68191,67504,104050,189003,360821,68695,181,0]},"pktlen": {"min":54,"avg":462.8,"max":1514,"stddev":476.2,"var":226793.4,"ent":4.3,"data": [66,66,60,269,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,640,640,54,640,60,640,54,640,54,640,1514,60,1514,1514]},"bins": {"c_to_s": [5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":117,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821668403824,"flow_src_last_pkt_time":1383821704424659,"flow_dst_last_pkt_time":1383821704566665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4598,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383821704566665,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":113,"avg":2328505.8,"max":31166013,"stddev":7549668.5,"var":56997495963648.0,"ent":1.9,"data": [143824,144206,386,152663,157,159633,171698,164686,190851,113,190713,627,185098,185495,145105,5747,151688,184201,104686,289985,146556,2535956,2930532,30770666,31166013,871,147027,185685,696487,885191,147130]},"pktlen": {"min":54,"avg":369.8,"max":1514,"stddev":354.9,"var":125974.5,"ent":4.3,"data": [66,66,60,278,54,983,252,113,128,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]},"bins": {"c_to_s": [4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}}
+01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":124,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821704889950,"flow_dst_last_pkt_time":1383821704958016,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3939,"flow_dst_tot_l4_payload_len":9093,"midstream":0,"thread_ts_usec":1383821704958016,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":2548633.8,"max":37995839,"stddev":9273754.0,"var":86002509021184.0,"ent":1.4,"data": [70996,71325,6669,104314,10783,112643,88567,84606,73691,120,73665,754,108431,107711,67797,2260,74630,103567,101811,113368,368689,686539,37720424,37995839,68191,67504,104050,189003,360821,68695,181]},"pktlen": {"min":54,"avg":462.8,"max":1514,"stddev":476.2,"var":226793.4,"ent":4.3,"data": [66,66,60,269,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,640,640,54,640,60,640,54,640,54,640,1514,60,1514,1514]},"bins": {"c_to_s": [5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":156,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821706213267}
 00348{"packet_event_id":1,"packet_event_name":"packet","packet_id":156,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821706194070,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":185,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821708213145}
@@ -148,7 +148,7 @@
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1817,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821771201495,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1818,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821774213020}
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1818,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821771201495,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
-02121{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1820,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1383821666407384,"flow_src_last_pkt_time":1383821774388112,"flow_dst_last_pkt_time":1383821702813857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3946,"flow_dst_tot_l4_payload_len":5300,"midstream":0,"thread_ts_usec":1383821774388112,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":90,"avg":4657651.5,"max":71328355,"stddev":14789051.0,"var":218716025389056.0,"ent":1.8,"data": [73367,74408,357,74070,3203,80209,86098,83238,77261,90,76164,838,117183,116350,75240,23977,101877,114494,465564,429267,3455,80828,117031,388775,507320,75910,393949,666205,34353103,34399015,71328355,0]},"pktlen": {"min":54,"avg":344.6,"max":1514,"stddev":347.1,"var":120444.2,"ent":4.3,"data": [66,66,60,276,54,803,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,54,640,640,54,640,640,54,640,60,640,60,60]},"bins": {"c_to_s": [6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}}
+02119{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1820,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1383821666407384,"flow_src_last_pkt_time":1383821774388112,"flow_dst_last_pkt_time":1383821702813857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3946,"flow_dst_tot_l4_payload_len":5300,"midstream":0,"thread_ts_usec":1383821774388112,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":90,"avg":4657651.5,"max":71328355,"stddev":14789051.0,"var":218716025389056.0,"ent":1.8,"data": [73367,74408,357,74070,3203,80209,86098,83238,77261,90,76164,838,117183,116350,75240,23977,101877,114494,465564,429267,3455,80828,117031,388775,507320,75910,393949,666205,34353103,34399015,71328355]},"pktlen": {"min":54,"avg":344.6,"max":1514,"stddev":347.1,"var":120444.2,"ent":4.3,"data": [66,66,60,276,54,803,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,54,640,640,54,640,640,54,640,60,640,60,60]},"bins": {"c_to_s": [6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1828,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821776213090}
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1828,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821774532755,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1829,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821778213143}
@@ -187,10 +187,10 @@
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1892,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1383822131034064,"flow_dst_last_pkt_time":1383822131033681,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1383822131034064,"pkt":"UlQA2EYhUlQAWul3CABFAAAoCK9AAIAGwmLAqAH8JuVGNcfoAbv0twfgYNP3BVAQAQBhAQAAAAAAAAAA"}
 01140{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1893,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822131034778,"flow_dst_last_pkt_time":1383822131033681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1383822131034778,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.jmts2id.com","tls": {"version":"TLSv1","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01348{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1896,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822131034778,"flow_dst_last_pkt_time":1383822131220406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":929,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":929,"midstream":0,"thread_ts_usec":1383822131220406,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.jmts2id.com","tls": {"version":"TLSv1","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","subjectDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}}}
-02107{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1918,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822129897135,"flow_src_last_pkt_time":1383822132138706,"flow_dst_last_pkt_time":1383822132203451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4523,"flow_dst_tot_l4_payload_len":5299,"midstream":0,"thread_ts_usec":1383822132203451,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":146,"avg":146706.0,"max":990883,"stddev":220400.9,"var":48576569344.0,"ent":3.9,"data": [64392,65808,9514,82112,4238,79785,91000,88446,79568,146,78186,925,110026,109380,69120,1548,80197,113582,35660,145791,70785,343658,637547,693937,990883,1625,71983,109022,69049,180072,69902,0]},"pktlen": {"min":54,"avg":362.2,"max":1514,"stddev":347.1,"var":120448.8,"ent":4.4,"data": [66,66,60,267,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]},"bins": {"c_to_s": [4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}}
+02105{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1918,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822129897135,"flow_src_last_pkt_time":1383822132138706,"flow_dst_last_pkt_time":1383822132203451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4523,"flow_dst_tot_l4_payload_len":5299,"midstream":0,"thread_ts_usec":1383822132203451,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":146,"avg":146706.0,"max":990883,"stddev":220400.9,"var":48576569344.0,"ent":3.9,"data": [64392,65808,9514,82112,4238,79785,91000,88446,79568,146,78186,925,110026,109380,69120,1548,80197,113582,35660,145791,70785,343658,637547,693937,990883,1625,71983,109022,69049,180072,69902]},"pktlen": {"min":54,"avg":362.2,"max":1514,"stddev":347.1,"var":120448.8,"ent":4.4,"data": [66,66,60,267,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]},"bins": {"c_to_s": [4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822132212345}
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822132203451,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
-01877{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1933,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822133768898,"flow_dst_last_pkt_time":1383822133768590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3998,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383822133768898,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":185742.4,"max":755290,"stddev":163607.9,"var":26767544320.0,"ent":4.5,"data": [143944,144327,714,149478,37247,195972,163599,153986,192261,56166,215,255054,2118,152835,143919,143900,44572,192109,147551,608487,755290,145485,149387,149841,132696,281585,155046,87778,477208,367752,127492,0]},"pktlen": {"min":54,"avg":351.4,"max":1514,"stddev":355.4,"var":126324.2,"ent":4.3,"data": [66,66,60,264,54,983,252,113,128,54,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,54,640,640,54,640,60,640,66]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01875{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1933,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822133768898,"flow_dst_last_pkt_time":1383822133768590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3998,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383822133768898,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":185742.4,"max":755290,"stddev":163607.9,"var":26767544320.0,"ent":4.5,"data": [143944,144327,714,149478,37247,195972,163599,153986,192261,56166,215,255054,2118,152835,143919,143900,44572,192109,147551,608487,755290,145485,149387,149841,132696,281585,155046,87778,477208,367752,127492]},"pktlen": {"min":54,"avg":351.4,"max":1514,"stddev":355.4,"var":126324.2,"ent":4.3,"data": [66,66,60,264,54,983,252,113,128,54,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,54,640,640,54,640,60,640,66]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":79,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821774457983,"flow_dst_last_pkt_time":1383821774457610,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19175,"flow_dst_tot_l4_payload_len":41545,"midstream":0,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 01029{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1383821693159821,"flow_src_last_pkt_time":1383821693159821,"flow_dst_last_pkt_time":1383821693159821,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":210,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System"}}
 00871{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1383821734359648,"flow_src_last_pkt_time":1383821734359648,"flow_dst_last_pkt_time":1383821734359648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"157.56.30.46","src_port":51104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -344,7 +344,7 @@
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3826,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822262143775,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3833,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822264211946}
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3833,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822264155073,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
-01876{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3845,"source":"tor.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1383822129889928,"flow_src_last_pkt_time":1383822265160118,"flow_dst_last_pkt_time":1383822265159585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2761,"flow_dst_tot_l4_payload_len":5864,"midstream":0,"thread_ts_usec":1383822265160118,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":319,"avg":8727092.0,"max":72890007,"stddev":22568808.0,"var":509351076823040.0,"ent":2.1,"data": [59390,61607,13819,72120,2062,62909,63545,60042,79423,319,78805,1749,98338,96626,56518,4501,61844,64873,64036,73717,275721,252847,50798,9733,261423,61538274,61491411,72591366,72890007,3990,98034,0]},"pktlen": {"min":54,"avg":326.0,"max":1514,"stddev":345.9,"var":119666.8,"ent":4.3,"data": [66,66,60,263,54,797,188,113,128,1514,140,60,640,54,640,54,640,640,640,640,640,60,640,66,640,60,640,60,60,54,54,60]},"bins": {"c_to_s": [9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01874{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3845,"source":"tor.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1383822129889928,"flow_src_last_pkt_time":1383822265160118,"flow_dst_last_pkt_time":1383822265159585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2761,"flow_dst_tot_l4_payload_len":5864,"midstream":0,"thread_ts_usec":1383822265160118,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":319,"avg":8727092.0,"max":72890007,"stddev":22568808.0,"var":509351076823040.0,"ent":2.1,"data": [59390,61607,13819,72120,2062,62909,63545,60042,79423,319,78805,1749,98338,96626,56518,4501,61844,64873,64036,73717,275721,252847,50798,9733,261423,61538274,61491411,72591366,72890007,3990,98034]},"pktlen": {"min":54,"avg":326.0,"max":1514,"stddev":345.9,"var":119666.8,"ent":4.3,"data": [66,66,60,263,54,797,188,113,128,1514,140,60,640,54,640,54,640,640,640,640,640,60,640,66,640,60,640,60,60,54,54,60]},"bins": {"c_to_s": [9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3853,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822266211911}
 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3853,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822265221448,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"}
 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3854,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822268211949}
@@ -373,10 +373,10 @@
 ~~ total active/idle flows...: 11/11
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6188253 bytes
-~~ total memory freed........: 6188253 bytes
+~~ total memory allocated....: 6188209 bytes
+~~ total memory freed........: 6188209 bytes
 ~~ total allocations/frees...: 125319/125319
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 185 chars
-~~ json string max len.......: 2135 chars
-~~ json string avg len.......: 1160 chars
+~~ json string max len.......: 2133 chars
+~~ json string avg len.......: 1159 chars
diff --git a/test/results/trickbot.pcap.out b/test/results/trickbot.pcap.out
index 9b2e97e2c..ca5beed09 100644
--- a/test/results/trickbot.pcap.out
+++ b/test/results/trickbot.pcap.out
@@ -6,7 +6,7 @@
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1609266107797418,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1609266107797418,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoc9JAAIAGK1IKDB1lUnbhxO+GG6gSdtdXYu1SXVAQ\/\/+p4QAA"}
 01412{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797621,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":349,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":349,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609266107797621,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}}
 01552{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797702,"flow_dst_last_pkt_time":1609266108728827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1358,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":1358,"midstream":0,"thread_ts_usec":1609266108728827,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":200,"content_type":"text\/html","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}}
-02062{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":156585.2,"max":931328,"stddev":258444.3,"var":66793451520.0,"ent":3.3,"data": [245675,245918,203,81,530,37,931085,931328,2339,2280,480234,19,480300,297566,15,8,7,8,7,8,8,7,7,6,9,297680,227938,227937,482874,14,14,0]},"pktlen": {"min":54,"avg":944.0,"max":1514,"stddev":662.5,"var":438885.5,"ent":4.5,"data": [66,58,54,403,982,54,54,1412,54,1412,54,1514,1337,54,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,290,54,1412,54,1514,1514,1208]},"bins": {"c_to_s": [7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
+02060{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":156585.2,"max":931328,"stddev":258444.3,"var":66793451520.0,"ent":3.3,"data": [245675,245918,203,81,530,37,931085,931328,2339,2280,480234,19,480300,297566,15,8,7,8,7,8,8,7,7,6,9,297680,227938,227937,482874,14,14]},"pktlen": {"min":54,"avg":944.0,"max":1514,"stddev":662.5,"var":438885.5,"ent":4.5,"data": [66,58,54,403,982,54,54,1412,54,1412,54,1514,1337,54,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,290,54,1412,54,1514,1514,1208]},"bins": {"c_to_s": [7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 01264{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":74,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":46,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266115947454,"flow_dst_last_pkt_time":1609266115947521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":56713,"midstream":0,"thread_ts_usec":1609266115947521,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":74,"source":"trickbot.pcap","alias":"nDPId-test","packets-captured":74,"packets-processed":74,"total-skipped-flows":0,"total-l4-payload-len":57990,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1609266115947521}
 ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6038026 bytes
-~~ total memory freed........: 6038026 bytes
+~~ total memory allocated....: 6038022 bytes
+~~ total memory freed........: 6038022 bytes
 ~~ total allocations/frees...: 121568/121568
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
-~~ json string max len.......: 2067 chars
+~~ json string max len.......: 2065 chars
 ~~ json string avg len.......: 1232 chars
diff --git a/test/results/tumblr.pcap.out b/test/results/tumblr.pcap.out
index 70f795e8a..9eaa83a9a 100644
--- a/test/results/tumblr.pcap.out
+++ b/test/results/tumblr.pcap.out
@@ -26,7 +26,7 @@
 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":32,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292104650967,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104650967,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292104650967,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104650967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292104650967,"pkt":"qtsDr8lk5EKm5WPyht1gBEqMACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABo9CrI3c4Bu\/+MQoWdXXNVgBAB9YSyAAABAQgKTYTpp8Lc6wE="}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104716333,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292104716333,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAGj0KsgqAcsBIEmLB5kd7IUo3\/YpAbvdzp1dc1X\/jEKGgBAMSBTRAAABAQgKwt2b\/U1+nj4="}
-01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292103810303,"flow_src_last_pkt_time":1605292105112205,"flow_dst_last_pkt_time":1605292105112063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":382,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":607,"flow_dst_tot_l4_payload_len":11474,"midstream":1,"thread_ts_usec":1605292105112205,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::98c7:1593","src_port":42908,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83989.1,"max":700859,"stddev":188930.8,"var":35694845952.0,"ent":2.6,"data": [870,91738,194148,2,1,2772,104383,700859,700827,1324,5830,44963,352,357119,395282,1534,2,2,1,1,1,1,2,1529,39,13,18,11,13,13,12,0]},"pktlen": {"min":86,"avg":463.5,"max":1486,"stddev":576.4,"var":332266.9,"ent":4.0,"data": [468,125,125,86,86,86,125,86,958,86,121,198,86,86,1474,86,98,1486,1486,1486,1486,849,1486,1486,86,86,86,86,86,86,86,86]},"bins": {"c_to_s": [11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01699{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292103810303,"flow_src_last_pkt_time":1605292105112205,"flow_dst_last_pkt_time":1605292105112063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":382,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":607,"flow_dst_tot_l4_payload_len":11474,"midstream":1,"thread_ts_usec":1605292105112205,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::98c7:1593","src_port":42908,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83989.1,"max":700859,"stddev":188930.8,"var":35694845952.0,"ent":2.6,"data": [870,91738,194148,2,1,2772,104383,700859,700827,1324,5830,44963,352,357119,395282,1534,2,2,1,1,1,1,2,1529,39,13,18,11,13,13,12]},"pktlen": {"min":86,"avg":463.5,"max":1486,"stddev":576.4,"var":332266.9,"ent":4.0,"data": [468,125,125,86,86,86,125,86,958,86,121,198,86,86,1474,86,98,1486,1486,1486,1486,849,1486,1486,86,86,86,86,86,86,86,86]},"bins": {"c_to_s": [11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":160,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105170049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00775{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":246,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":246,"pkt_l4_len":192,"thread_ts_usec":1605292105170049,"pkt":"qtsDr8lk5EKm5WPyht1gDdvHAMAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0oqZwBuzRq\/HZTRuvUgBgSELhfAAABAQgKdG+lysLdLW8XAwMAm7+VUv5v3n1cEKhvA7Obmk7hW69laavu9OZNOdP5v2aiE9LYEKQeHffn7vm6VstuW5LB+GPd1bdCCYxPrQ8cpXXvSrRBde7Ubgvulsw\/eGF6vJKgoYXL5h04lY18ojPm\/cV9tUPretg64t\/hG52\/jXKkQ9+5e1GR1KuJgn1MWQ\/97vN82J\/Jt388ivkqQMfP0T\/jvMqs33Elwytq"}
 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":160,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105170049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -39,12 +39,12 @@
 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105170518,"flow_dst_last_pkt_time":1605292105195930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105195930,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAMAATSgqAcsBIEmLB5kd7IUo3\/YpAbupnFNG69Q0av0WgBAMvoDtAAABAQgKwt2d3XRvpco="}
 00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105197307,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105197307,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105197307,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105197307,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OYAAAAAoAL9IHL6AAACBAWgBAIIClFT82IAAAAAAQMDBw=="}
-01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3326.8,"max":37135,"stddev":8084.0,"var":65351828.0,"ent":2.7,"data": [469,25881,1104,10603,37135,1897,1,1911,13,717,678,9927,9935,107,1,101,8,237,229,116,116,308,309,92,91,472,1,479,15,99,79,0]},"pktlen": {"min":86,"avg":472.5,"max":1486,"stddev":599.1,"var":358951.0,"ent":4.0,"data": [246,237,86,86,905,86,125,1474,86,86,98,86,1486,86,1486,1474,86,86,98,86,1486,86,1486,86,1474,86,98,1474,86,86,98,86]},"bins": {"c_to_s": [14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0]}}
+01554{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3326.8,"max":37135,"stddev":8084.0,"var":65351828.0,"ent":2.7,"data": [469,25881,1104,10603,37135,1897,1,1911,13,717,678,9927,9935,107,1,101,8,237,229,116,116,308,309,92,91,472,1,479,15,99,79]},"pktlen": {"min":86,"avg":472.5,"max":1486,"stddev":599.1,"var":358951.0,"ent":4.0,"data": [246,237,86,86,905,86,125,1474,86,86,98,86,1486,86,1486,1474,86,86,98,86,1486,86,1486,86,1474,86,98,1474,86,86,98,86]},"bins": {"c_to_s": [14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0]}}
 00900{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":146,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105230486,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSYGKAABNRVaI7oLKiX\/Ei0qAcsBIEmLB5kd7IUo3\/YpAbvkDMLhfl2n7vTnoBJXgHalAAACBAV4AQMDAwQCCArC3Z3zUVPzYg=="}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":150,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105230554,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105230554,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaACAGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OfC4X5egBAB+\/qVAAABAQgKUVPzg8LdnfM="}
 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":154,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105231042,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105231042,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01565{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3903.1,"max":45055,"stddev":9416.3,"var":88667112.0,"ent":2.8,"data": [365,4822,355,27249,2992,337,2701,17288,45055,519,518,603,1,579,9,7282,1,7292,34,289,2,248,25,174,1,157,27,1036,1,1005,28,0]},"pktlen": {"min":86,"avg":622.3,"max":1486,"stddev":669.7,"var":448506.0,"ent":4.1,"data": [198,125,197,186,86,86,86,86,1486,86,1486,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86]},"bins": {"c_to_s": [12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]}}
+01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3903.1,"max":45055,"stddev":9416.3,"var":88667112.0,"ent":2.8,"data": [365,4822,355,27249,2992,337,2701,17288,45055,519,518,603,1,579,9,7282,1,7292,34,289,2,248,25,174,1,157,27,1036,1,1005,28]},"pktlen": {"min":86,"avg":622.3,"max":1486,"stddev":669.7,"var":448506.0,"ent":4.1,"data": [198,125,197,186,86,86,86,86,1486,86,1486,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86]},"bins": {"c_to_s": [12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]}}
 00900{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":345,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105274861,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105274861,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZYAAAAAoAL9IG8jAAACBAWgBAIIClFT868AAAAAAQMDBw=="}
@@ -53,7 +53,7 @@
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105299399,"flow_dst_last_pkt_time":1605292105299371,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105299399,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACAGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZeG572bgBAB+\/MzAAABAQgKUVPzyMLdnkM="}
 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":378,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105299606,"flow_dst_last_pkt_time":1605292105299371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105299606,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01197{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":397,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105322435,"flow_dst_last_pkt_time":1605292105340527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":99,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":99,"midstream":0,"thread_ts_usec":1605292105340527,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":411,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105347875,"flow_dst_last_pkt_time":1605292105347850,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1519,"flow_dst_tot_l4_payload_len":5784,"midstream":0,"thread_ts_usec":1605292105347875,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11581.2,"max":47694,"stddev":16955.4,"var":287485632.0,"ent":3.2,"data": [33179,33247,488,47694,47160,1225,37725,2106,38598,23,3,754,718,796,796,2589,248,171,60,26260,592,1,74,1362,25234,8,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":314.7,"max":1294,"stddev":381.9,"var":145812.8,"ent":4.2,"data": [94,94,86,603,86,185,86,609,86,1294,1294,1294,86,86,86,558,86,1069,86,160,178,343,142,86,86,86,86,341,341,182,86,86]},"bins": {"c_to_s": [10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":411,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105347875,"flow_dst_last_pkt_time":1605292105347850,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1519,"flow_dst_tot_l4_payload_len":5784,"midstream":0,"thread_ts_usec":1605292105347875,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11581.2,"max":47694,"stddev":16955.4,"var":287485632.0,"ent":3.2,"data": [33179,33247,488,47694,47160,1225,37725,2106,38598,23,3,754,718,796,796,2589,248,171,60,26260,592,1,74,1362,25234,8]},"pktlen": {"min":86,"avg":314.7,"max":1294,"stddev":381.9,"var":145812.8,"ent":4.2,"data": [94,94,86,603,86,185,86,609,86,1294,1294,1294,86,86,86,558,86,1069,86,160,178,343,142,86,86,86,86,341,341,182,86,86]},"bins": {"c_to_s": [10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":432,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292105418417,"flow_dst_last_pkt_time":1605292105418417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105418417,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":432,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105418417,"flow_dst_last_pkt_time":1605292105418417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105418417,"pkt":"qtsDr8lk5EKm5WPyht1gDBurACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABgBgdJmPABuw7mG3sAAAAAoAL9IOHqAAACBAWgBAIIChNm5EYAAAAAAQMDBw=="}
 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":433,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105433892,"flow_src_last_pkt_time":1605292105433892,"flow_dst_last_pkt_time":1605292105433892,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105433892,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2001:4998:14:800::1001","src_port":47118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -70,7 +70,7 @@
 00886{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":454,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105669051,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":120,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105669051,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":455,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1605292105669426,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":125,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":125,"pkt_l4_len":71,"thread_ts_usec":1605292105669426,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAEcGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOsYW2C\/9gBhA0ehRAAABAQgKBcmbrMLdLRcXAwMAIgQb59HIMHYAgoaCAJqbMMjq72ntBt\/\/eGErLyXH34Iczsk="}
 00733{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":456,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105669518,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":215,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":215,"pkt_l4_len":161,"thread_ts_usec":1605292105669518,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAKEGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOu0W2C\/9gBhA0aEtAAABAQgKBcmbrMLdLRcXAwMAfBkhBkIFqMuMKjD1\/xjqGp2hEKMP3ziLomYjJXbyDDBzMNKC8MmFqfqAj9+xvxfAO7rBldu4UpazYVXmg399TnFcypI7qckvMpQyy6kehQ5F75J5BlTYjgokme9I6h8+9mS8Y6D2WQEp5qh0Ix9\/vReZo1xT0xocl8k7wFQ="}
-01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3795.7,"max":36646,"stddev":9087.4,"var":82581152.0,"ent":2.4,"data": [375,92,385,236,26419,36646,2159,376,10012,21697,203,197,169,221,406,8,175,469,1,620,51,101,150,197,535,21,562,0,0,0,0,0]},"pktlen": {"min":86,"avg":449.7,"max":1486,"stddev":586.0,"var":343353.7,"ent":4.0,"data": [206,125,215,216,157,122,86,86,86,86,86,1486,86,1486,86,1474,98,1486,86,86,1474,98,1341,117,86,86,125,1474,86,98,1474,86]},"bins": {"c_to_s": [8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0]}}
+01547{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3795.7,"max":36646,"stddev":9087.4,"var":82581152.0,"ent":2.4,"data": [375,92,385,236,26419,36646,2159,376,10012,21697,203,197,169,221,406,8,175,469,1,620,51,101,150,197,535,21,562]},"pktlen": {"min":86,"avg":449.7,"max":1486,"stddev":586.0,"var":343353.7,"ent":4.0,"data": [206,125,215,216,157,122,86,86,86,86,86,1486,86,1486,86,1474,98,1486,86,86,1474,98,1341,117,86,86,125,1474,86,98,1474,86]},"bins": {"c_to_s": [8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0]}}
 00901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00792{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":492,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105726518,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":127,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":127,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":127,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105726518,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4c03","src_port":51874,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":492,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":213,"pkt_l4_len":159,"thread_ts_usec":1605292105726518,"pkt":"qtsDr8lk5EKm5WPyht1gBYNxAJ8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAEwDyqIBu7npntnZTJergBgB9damAAABAQgKLIniTsLdLfkXAwMAepLzP8oRHbXAD5D56fW\/ezxXNRxKdaqM6BwQpjw0zyORx06Rl8gHWinoWY19NxmIXl2owLgVHJ\/UEVkHmda\/PMinu6FgCqLeUi5RUsVJaGqL1ulKRH6Mi5nxYau2z9M9f+jUaBIVXH47AOoxy+jPs5YTh+8Es3OdfTIr"}
@@ -96,7 +96,7 @@
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2849,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1605292108917920,"flow_dst_last_pkt_time":1605292108917845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292108917920,"pkt":"qtsDr8lk5EKm5WPyht1gCOgvACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3goBu3qld1Md4lVGgBAB+8BsAAABAQgKBcmoXMLdrGc="}
 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2850,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292108918360,"flow_dst_last_pkt_time":1605292108917845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292108918360,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"64.media.tumblr.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01201{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2953,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292108918360,"flow_dst_last_pkt_time":1605292108973288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1605292108973288,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"64.media.tumblr.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3670,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292109072597,"flow_dst_last_pkt_time":1605292109072571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1335,"flow_dst_tot_l4_payload_len":7988,"midstream":0,"thread_ts_usec":1605292109072597,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13139.0,"max":70171,"stddev":20754.3,"var":430742720.0,"ent":3.1,"data": [22637,22712,440,30662,24781,1,1,54941,10,7,4,36,7,1509,240,132,59732,70171,1,28567,37136,504,1,1,500,15,4,0,0,0,0,0]},"pktlen": {"min":86,"avg":377.8,"max":1486,"stddev":486.5,"var":236637.8,"ent":4.1,"data": [94,94,86,603,86,1486,1486,1382,1486,86,86,86,86,207,86,150,178,417,417,86,86,86,357,86,357,148,117,1486,422,86,86,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01696{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3670,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292109072597,"flow_dst_last_pkt_time":1605292109072571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1335,"flow_dst_tot_l4_payload_len":7988,"midstream":0,"thread_ts_usec":1605292109072597,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13139.0,"max":70171,"stddev":20754.3,"var":430742720.0,"ent":3.1,"data": [22637,22712,440,30662,24781,1,1,54941,10,7,4,36,7,1509,240,132,59732,70171,1,28567,37136,504,1,1,500,15,4]},"pktlen": {"min":86,"avg":377.8,"max":1486,"stddev":486.5,"var":236637.8,"ent":4.1,"data": [94,94,86,603,86,1486,1486,1382,1486,86,86,86,86,207,86,150,178,417,417,86,86,86,357,86,357,148,117,1486,422,86,86,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12579,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292114506948,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114506948,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292114506948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12579,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114506948,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292114506948,"pkt":"qtsDr8lk5EKm5WPyht1gCYCjACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3O4Bu5iknWH70O\/fgBATex8tAAABAQgKqXtvnsLdEcs="}
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12580,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114736576,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292114736576,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvc7vvQ79+YpJ1igBBY1dkNAAABAQgKwt3C3al6v1A="}
@@ -167,7 +167,7 @@
 01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23421,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121507997,"flow_dst_last_pkt_time":1605292121697370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1605292121697370,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01493{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23427,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121697627,"flow_dst_last_pkt_time":1605292121698447,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5097,"midstream":0,"thread_ts_usec":1605292121698447,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_src_last_pkt_time":1605292121674877,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292121698552,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgXAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbvZCJmV\/O79d79\/gBALlo7gAAABAQgKwt3eUxu5BaQ="}
-01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28645.1,"max":189403,"stddev":50095.8,"var":2509586944.0,"ent":3.2,"data": [21421,21468,523,29545,160398,189403,235,213,14,842,826,3808,144,202,28681,1,1011,77988,2,103570,74,656,29813,79144,108203,110,95,435,441,86,0,0]},"pktlen": {"min":86,"avg":468.0,"max":1486,"stddev":568.3,"var":322990.4,"ent":4.1,"data": [94,94,86,603,86,1486,86,1486,1382,86,86,1087,86,171,177,537,86,86,86,352,156,86,86,116,86,1486,86,1486,86,1486,86,1486]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1]}}
+01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28645.1,"max":189403,"stddev":50095.8,"var":2509586944.0,"ent":3.2,"data": [21421,21468,523,29545,160398,189403,235,213,14,842,826,3808,144,202,28681,1,1011,77988,2,103570,74,656,29813,79144,108203,110,95,435,441,86]},"pktlen": {"min":86,"avg":468.0,"max":1486,"stddev":568.3,"var":322990.4,"ent":4.1,"data": [94,94,86,603,86,1486,86,1486,1382,86,86,1087,86,171,177,537,86,86,86,352,156,86,86,116,86,1486,86,1486,86,1486,86,1486]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1]}}
 01497{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}}
 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122064463,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122064463,"pkt":"qtsDr8lk5EKm5WPyht1gAy+bACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICQAAAAAAACAOwYwBu0AeaGkAAAAAoAL9IOE8AAACBAWgBAIICthbOh0AAAAAAQMDBw=="}
@@ -179,15 +179,15 @@
 01157{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":23657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122094987,"flow_dst_last_pkt_time":1605292122094721,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122094987,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122095843,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122095843,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122095843,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122095843,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5CzgAAAAAoAL9IPiAAAACBAWgBAIIChLBJ8gAAAAAAQMDBw=="}
-01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1561236.4,"max":19513573,"stddev":5287922.5,"var":27962124533760.0,"ent":1.0,"data": [19473275,346,19513573,40000,58,14,3,47,46,590,601,1080,1,1,1,1081,15,50,4,2,3,4,112,1,1,0,0,0,0,0,0,0]},"pktlen": {"min":86,"avg":614.1,"max":1134,"stddev":520.1,"var":270533.2,"ent":4.4,"data": [86,172,132,86,1134,86,1134,1134,86,86,1134,86,1134,86,1134,1134,1134,1134,1134,1134,1134,86,86,86,86,86,86,86,1134,1134,1134,1134]},"bins": {"c_to_s": [13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1]}}
+01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1561236.4,"max":19513573,"stddev":5287922.5,"var":27962124533760.0,"ent":1.0,"data": [19473275,346,19513573,40000,58,14,3,47,46,590,601,1080,1,1,1,1081,15,50,4,2,3,4,112,1,1]},"pktlen": {"min":86,"avg":614.1,"max":1134,"stddev":520.1,"var":270533.2,"ent":4.4,"data": [86,172,132,86,1134,86,1134,1134,86,86,1134,86,1134,86,1134,1134,1134,1134,1134,1134,1134,86,86,86,86,86,86,86,1134,1134,1134,1134]},"bins": {"c_to_s": [13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1]}}
 00901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24118,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122163288,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuW0O3zbp+IuQs5oBJXgJ7NAAACBAV4AQMDAwQCCArC3d\/9EsEnyA=="}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24126,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122163315,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122163315,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5Cznt826ggBAB+yKbAAABAQgKEsEoDMLd3\/0="}
 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24188,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122163584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ajax.googleapis.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01202{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24239,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122094987,"flow_dst_last_pkt_time":1605292122177975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605292122177975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01214{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122212637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605292122212637,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ajax.googleapis.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24477,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122274057,"flow_dst_last_pkt_time":1605292122274042,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":982,"flow_dst_tot_l4_payload_len":8808,"midstream":0,"thread_ts_usec":1605292122274057,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12290.1,"max":67472,"stddev":20336.5,"var":413573216.0,"ent":3.2,"data": [67445,67472,269,44078,5271,1,49097,3,94,53,18571,10150,718,42370,12940,229,14297,2020,1,16083,2556,1,2570,25,64,1,22,4,8,0,0,0]},"pktlen": {"min":86,"avg":392.4,"max":1294,"stddev":464.3,"var":215557.6,"ent":4.1,"data": [94,94,86,603,86,1294,1294,86,86,586,86,150,178,364,86,666,86,117,86,117,86,86,535,1294,86,86,1294,1294,1294,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24501,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122281616,"flow_dst_last_pkt_time":1605292122282509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":9011,"midstream":0,"thread_ts_usec":1605292122282509,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15006.9,"max":83018,"stddev":20961.8,"var":439398816.0,"ent":3.6,"data": [30258,30298,226,70679,12575,2,1,83018,62,4,882,32413,31475,5911,16277,137,34580,1914,14156,7168,10659,16853,1,1,34679,24,2,2,942,0,0,0]},"pktlen": {"min":86,"avg":398.2,"max":1294,"stddev":474.8,"var":225406.5,"ent":4.1,"data": [94,94,86,603,86,1294,1294,325,86,86,86,150,86,666,86,178,117,344,86,117,86,86,86,999,1294,1294,1294,86,86,86,86,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24477,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122274057,"flow_dst_last_pkt_time":1605292122274042,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":982,"flow_dst_tot_l4_payload_len":8808,"midstream":0,"thread_ts_usec":1605292122274057,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12290.1,"max":67472,"stddev":20336.5,"var":413573216.0,"ent":3.2,"data": [67445,67472,269,44078,5271,1,49097,3,94,53,18571,10150,718,42370,12940,229,14297,2020,1,16083,2556,1,2570,25,64,1,22,4,8]},"pktlen": {"min":86,"avg":392.4,"max":1294,"stddev":464.3,"var":215557.6,"ent":4.1,"data": [94,94,86,603,86,1294,1294,86,86,586,86,150,178,364,86,666,86,117,86,117,86,86,535,1294,86,86,1294,1294,1294,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24501,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122281616,"flow_dst_last_pkt_time":1605292122282509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":9011,"midstream":0,"thread_ts_usec":1605292122282509,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15006.9,"max":83018,"stddev":20961.8,"var":439398816.0,"ent":3.6,"data": [30258,30298,226,70679,12575,2,1,83018,62,4,882,32413,31475,5911,16277,137,34580,1914,14156,7168,10659,16853,1,1,34679,24,2,2,942]},"pktlen": {"min":86,"avg":398.2,"max":1294,"stddev":474.8,"var":225406.5,"ent":4.1,"data": [94,94,86,603,86,1294,1294,325,86,86,86,150,86,666,86,178,117,344,86,117,86,86,86,999,1294,1294,1294,86,86,86,86,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00716{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24626,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122439986,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":203,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":203,"pkt_l4_len":149,"thread_ts_usec":1605292122439986,"pkt":"qtsDr8lk5EKm5WPyht1gDKQRAJUGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFwAAAAAAACAK2QgBu\/13v3+ZlfzugBgB9aL3AAABAQgKG7m5ccLd3lMXAwMAcFVxaXihuhejZCNpZ5nuv6bEN9Yj5XMBxAt2QHwyRgmT6ybDwC5C73DyglYgxmIhMzt282zpUtE5GphT7ONBXskP6qssi1eNQHysgmBFeTvR+6kSeL0yhYhtFPIEYfWd8KPo3wOHIQIgFNXMNqMrZ9Q="}
 00892{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24626,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1605292121674877,"flow_src_last_pkt_time":1605292122439986,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":117,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":117,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122439986,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:817::200a","src_port":55560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00644{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122501104,"flow_dst_last_pkt_time":1605292104716333,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":149,"pkt_l4_len":95,"thread_ts_usec":1605292122501104,"pkt":"qtsDr8lk5EKm5WPyht1gBEqMAF8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABo9CrI3c4Bu\/+MQoadXXNVgBgB9QaPAAABAQgKTYUvYcLdm\/0XAwMAOgAAAAAAAAAIvZM7k4G8cjK7Q9\/YrVI4eMbPvi74lWEwjtUtgcQJsZEKgX5x1KPe5+ARIWOSp6YRK8o="}
@@ -201,7 +201,7 @@
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24694,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122698834,"flow_dst_last_pkt_time":1605292122698834,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122698834,"pkt":"qtsDr8lk5EKm5WPyht1gCuvGACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABKcpoVprIBu3ASIMYXhL6qgBAB9S93AAABAQgKNSTnjcLdLMU="}
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24706,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122698834,"flow_dst_last_pkt_time":1605292122741055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122741055,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAEpymhUqAcsBIEmLB5kd7IUo3\/YpAbumsheEvqpwEiDHgBALdyXtAAABAQgKwt3iZjUkMfM="}
 01197{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24707,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122674024,"flow_src_last_pkt_time":1605292122698360,"flow_dst_last_pkt_time":1605292122755298,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":620,"flow_dst_max_l4_payload_len":270,"flow_src_tot_l4_payload_len":620,"flow_dst_tot_l4_payload_len":270,"midstream":0,"thread_ts_usec":1605292122755298,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement","hostname":"sb.scorecardresearch.com","tls": {"version":"TLSv1.3","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24724,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292122813676,"flow_dst_last_pkt_time":1605292122725006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":764,"flow_dst_max_l4_payload_len":1279,"flow_src_tot_l4_payload_len":4217,"flow_dst_tot_l4_payload_len":4676,"midstream":0,"thread_ts_usec":1605292122813676,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1119414.5,"max":16588707,"stddev":4059258.8,"var":16477581213696.0,"ent":1.4,"data": [29466,29487,204,37942,9029,46759,696,98,30996,1834,7035,39073,52635,52694,371915,406395,20731,55185,2451,32929,9268,39721,16556740,16588707,11402,43353,16903,58413,9807,93158,46822,0]},"pktlen": {"min":86,"avg":364.4,"max":1365,"stddev":367.9,"var":135349.6,"ent":4.3,"data": [94,94,86,706,86,356,86,166,503,86,86,373,86,1273,86,838,86,869,86,850,86,356,86,514,86,1365,86,658,86,686,86,670]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement"}}
+01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24724,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292122813676,"flow_dst_last_pkt_time":1605292122725006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":764,"flow_dst_max_l4_payload_len":1279,"flow_src_tot_l4_payload_len":4217,"flow_dst_tot_l4_payload_len":4676,"midstream":0,"thread_ts_usec":1605292122813676,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1119414.5,"max":16588707,"stddev":4059258.8,"var":16477581213696.0,"ent":1.4,"data": [29466,29487,204,37942,9029,46759,696,98,30996,1834,7035,39073,52635,52694,371915,406395,20731,55185,2451,32929,9268,39721,16556740,16588707,11402,43353,16903,58413,9807,93158,46822]},"pktlen": {"min":86,"avg":364.4,"max":1365,"stddev":367.9,"var":135349.6,"ent":4.3,"data": [94,94,86,706,86,356,86,166,503,86,86,373,86,1273,86,838,86,869,86,850,86,356,86,514,86,1365,86,658,86,686,86,670]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement"}}
 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122874816,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122874816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122874816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122874816,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122874816,"pkt":"qtsDr8lk5EKm5WPyht1gDJQ7ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICgAAAAAAACAKnP4Bu4CgSN\/gvLosgBAB9qrlAAABAQgK1OQQnsLdMvM="}
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24745,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122899206,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122899206,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgKAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuc\/uC8uiyAoEjggBALQrp6AAABAQgKwt3jAtThR68="}
@@ -289,10 +289,10 @@
 ~~ total active/idle flows...: 47/47
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 7355602 bytes
-~~ total memory freed........: 7355602 bytes
+~~ total memory allocated....: 7355414 bytes
+~~ total memory freed........: 7355414 bytes
 ~~ total allocations/frees...: 146817/146817
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
-~~ json string max len.......: 1779 chars
-~~ json string avg len.......: 1135 chars
+~~ json string max len.......: 1777 chars
+~~ json string avg len.......: 1134 chars
diff --git a/test/results/tunnelbear.pcap.out b/test/results/tunnelbear.pcap.out
index 44be1da46..e13de6cc5 100644
--- a/test/results/tunnelbear.pcap.out
+++ b/test/results/tunnelbear.pcap.out
@@ -36,7 +36,7 @@
 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1655734524482823,"flow_dst_last_pkt_time":1655734524482578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734524482823,"pkt":"ABoRAAACABoRAAABCABFAAAo3gtAAEAGvAcKCAABovfzvLmIAbsjcXmi3I6GX1AQ\/\/9T0gAA"}
 01047{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1655734524480852,"flow_src_last_pkt_time":1655734524484592,"flow_dst_last_pkt_time":1655734524482578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734524484592,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":47496,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 01388{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":94,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734524480852,"flow_src_last_pkt_time":1655734524484592,"flow_dst_last_pkt_time":1655734524597187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3864,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3864,"midstream":0,"thread_ts_usec":1655734524597187,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":47496,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","server_names":"*.newrelic.com,newrelic.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com","alpn":"http\/1.1","fingerprint":"90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77"}}}
-01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734524335198,"flow_src_last_pkt_time":1655734524914388,"flow_dst_last_pkt_time":1655734524915156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3657,"flow_src_tot_l4_payload_len":2952,"flow_dst_tot_l4_payload_len":9379,"midstream":0,"thread_ts_usec":1655734524915156,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":37391.9,"max":265866,"stddev":60218.7,"var":3626296576.0,"ent":3.5,"data": [4811,10763,14,6027,71146,71669,62476,63085,171,99,103,116,2258,2217,58331,58816,497,202,194,148,171,85,633,797,214474,265866,52392,51419,53825,54567,51776,0]},"pktlen": {"min":54,"avg":440.0,"max":3711,"stddev":812.3,"var":659832.9,"ent":3.6,"data": [74,54,54,571,54,3711,54,147,54,590,54,590,54,319,54,390,375,54,590,54,164,54,54,92,54,1646,54,705,54,366,54,2885]},"bins": {"c_to_s": [7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734524335198,"flow_src_last_pkt_time":1655734524914388,"flow_dst_last_pkt_time":1655734524915156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3657,"flow_src_tot_l4_payload_len":2952,"flow_dst_tot_l4_payload_len":9379,"midstream":0,"thread_ts_usec":1655734524915156,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":37391.9,"max":265866,"stddev":60218.7,"var":3626296576.0,"ent":3.5,"data": [4811,10763,14,6027,71146,71669,62476,63085,171,99,103,116,2258,2217,58331,58816,497,202,194,148,171,85,633,797,214474,265866,52392,51419,53825,54567,51776]},"pktlen": {"min":54,"avg":440.0,"max":3711,"stddev":812.3,"var":659832.9,"ent":3.6,"data": [74,54,54,571,54,3711,54,147,54,590,54,590,54,319,54,390,375,54,590,54,164,54,54,92,54,1646,54,705,54,366,54,2885]},"bins": {"c_to_s": [7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":132,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734525210582,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525210582,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734525210582,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45124,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525210582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1655734525210582,"pkt":"ABoRAAACABoRAAABCABFAAA8oPNAAEAGtIYKCAABaBFzKLBEAbsaEwikAAAAAKAC\/\/\/kSwAAAgQFtAQCCAoBY6hXAAAAAAEDAwg="}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525218112,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734525218112,"pkt":"ABoRAAACABoRAAABCABFAAAoAJJAABAGhPxoEXMoCggAAQG7sETl7PdbGhMIpVAS\/\/8YkAAA"}
@@ -49,7 +49,7 @@
 01061{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":143,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525224208,"flow_dst_last_pkt_time":1655734525221695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734525224208,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":145,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525224208,"flow_dst_last_pkt_time":1655734525281832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734525281832,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":147,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734525210582,"flow_src_last_pkt_time":1655734525221986,"flow_dst_last_pkt_time":1655734525332870,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734525332870,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45124,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
-01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":186,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525773780,"flow_dst_last_pkt_time":1655734525773395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":749,"flow_src_tot_l4_payload_len":2295,"flow_dst_tot_l4_payload_len":1194,"midstream":0,"thread_ts_usec":1655734525773780,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":35827.1,"max":233720,"stddev":54909.0,"var":3015001088.0,"ent":3.6,"data": [3428,3938,2003,2864,57273,107978,750,51373,305,140,145,128,138,133,50874,51892,1049,50443,50842,196795,233720,37672,51488,50853,51099,141,51026,454,234,444,1019,0]},"pktlen": {"min":54,"avg":163.7,"max":803,"stddev":198.3,"var":39337.4,"ent":4.2,"data": [74,54,54,571,54,210,54,105,54,590,54,590,54,317,54,132,377,54,92,54,803,54,227,54,92,54,85,54,54,54,54,54]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":186,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525773780,"flow_dst_last_pkt_time":1655734525773395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":749,"flow_src_tot_l4_payload_len":2295,"flow_dst_tot_l4_payload_len":1194,"midstream":0,"thread_ts_usec":1655734525773780,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":35827.1,"max":233720,"stddev":54909.0,"var":3015001088.0,"ent":3.6,"data": [3428,3938,2003,2864,57273,107978,750,51373,305,140,145,128,138,133,50874,51892,1049,50443,50842,196795,233720,37672,51488,50853,51099,141,51026,454,234,444,1019]},"pktlen": {"min":54,"avg":163.7,"max":803,"stddev":198.3,"var":39337.4,"ent":4.2,"data": [74,54,54,571,54,210,54,105,54,590,54,590,54,317,54,132,377,54,92,54,803,54,227,54,92,54,85,54,54,54,54,54]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":190,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734754614463,"flow_src_last_pkt_time":1655734754614463,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1655734754614463,"l3_proto":"ip4","src_ip":"10.158.132.91","dst_ip":"104.17.114.40","src_port":38398,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":190,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1655734754614463,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734754614463,"pkt":"ABoRAAACABoRAAABCABFAAAoVtFAAEAGeswKnoRbaBFyKJX+AbuhM960Ee9+klAQAVedJwAA"}
 01213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":191,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1655734754615913,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":571,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":571,"pkt_l4_len":537,"thread_ts_usec":1655734754615913,"pkt":"ABoRAAACABoRAAABCABFAAItVtJAAEAGeMYKnoRbaBFyKJX+AbuhM960Ee9+klAYAVc2sQAAFgMBAgABAAH8AwOffU2PEFvusphnSRt4iypv4+ZmiFJN5MhWLpPRgxBGWyBzS35friOfAWwzRvK4nOaCBJAbSD\/HvnzVJtlqjl91KAAYwCvALMypwC\/AMMyowBPAFACcAJ0ALwA1AQABm\/8BAAEAAAAAGQAXAAAUYXBpLnBvbGFyZ3JpenpseS5jb20AFwAAACMAwMEVNlaL0tdGnm3V54JqurXqfhCsyPABZtbMnzb26AxMffuozfeg4IKaCIbNJ3q2zznlQTcn2vtZGw2LgspfFkx\/\/ulZltuMfvovkdu6OxfbcYa5VnIF3xidmaUJ8SUPb79tJJFaBhFXEN61mvGK7zPpvVrV3mTyXEwUGGWTkZAGHvhktDm3FDiaeMeQoyzU\/JxID7YfTFAEkYxMS3+IaSjPuX3oi2kUbrLhwugcx7H6N+6QUOak1x1EA8eU6f8ZVAANABQAEgQDCAQEAQUDCAUFAQgGBgECAQAFAAUBAAAAAAAQAA4ADAJoMghodHRwLzEuMQALAAIBAAAKAAgABgAdABcAGAAVAGgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="}
@@ -126,7 +126,7 @@
 01122{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":312,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776538093,"flow_src_last_pkt_time":1655734776541777,"flow_dst_last_pkt_time":1655734776872181,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734776872181,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33848,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01402{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":313,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776512617,"flow_src_last_pkt_time":1655734776537556,"flow_dst_last_pkt_time":1655734776874125,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5473,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5473,"midstream":0,"thread_ts_usec":1655734776874125,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.154.236","src_port":50904,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.tunnelbear.com","tls": {"version":"TLSv1.2","server_names":"*.tunnelbear.com,tunnelbear.com","ja3":"a1c672bda2bda1a05bdca801144b2760","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tunnelbear.com","alpn":"h2,http\/1.1","fingerprint":"52:96:E2:83:CC:15:4E:B3:0F:5B:1D:E2:E8:FF:4E:A9:C4:E9:C0:AF"}}}
 01390{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":370,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776705767,"flow_src_last_pkt_time":1655734776708195,"flow_dst_last_pkt_time":1655734776969484,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3864,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3864,"midstream":0,"thread_ts_usec":1655734776969484,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":48222,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","server_names":"*.newrelic.com,newrelic.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com","alpn":"http\/1.1","fingerprint":"90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77"}}}
-01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":385,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1655734776460292,"flow_src_last_pkt_time":1655734776909928,"flow_dst_last_pkt_time":1655734777250607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2900,"flow_src_tot_l4_payload_len":3230,"flow_dst_tot_l4_payload_len":3163,"midstream":0,"thread_ts_usec":1655734777250607,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33830,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":39998.4,"max":340372,"stddev":83812.5,"var":7024526848.0,"ent":3.0,"data": [4054,5298,2009,3384,237730,240091,25,2380,9328,9409,226,61,1426,1484,112,59,79,69,100518,152574,52262,7046,20588,16017,10024,8002,820,1293,7036,6175,340372,0]},"pktlen": {"min":54,"avg":254.4,"max":2954,"stddev":516.4,"var":266681.9,"ent":3.7,"data": [74,54,54,571,54,210,54,105,54,107,54,140,54,590,54,590,54,179,54,123,92,54,92,375,54,590,54,162,54,377,54,2954]},"bins": {"c_to_s": [3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":385,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1655734776460292,"flow_src_last_pkt_time":1655734776909928,"flow_dst_last_pkt_time":1655734777250607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2900,"flow_src_tot_l4_payload_len":3230,"flow_dst_tot_l4_payload_len":3163,"midstream":0,"thread_ts_usec":1655734777250607,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33830,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":39998.4,"max":340372,"stddev":83812.5,"var":7024526848.0,"ent":3.0,"data": [4054,5298,2009,3384,237730,240091,25,2380,9328,9409,226,61,1426,1484,112,59,79,69,100518,152574,52262,7046,20588,16017,10024,8002,820,1293,7036,6175,340372]},"pktlen": {"min":54,"avg":254.4,"max":2954,"stddev":516.4,"var":266681.9,"ent":3.7,"data": [74,54,54,571,54,210,54,105,54,107,54,140,54,590,54,590,54,179,54,123,92,54,92,375,54,590,54,162,54,377,54,2954]},"bins": {"c_to_s": [3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":414,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734777904202,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777904202,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734777904202,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33858,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":414,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777904202,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1655734777904202,"pkt":"ABoRAAACABoRAAABCABFAAA8VQtAAEAGAW8KCAABaBFyKIRCAbtalsosAAAAAKAC\/\/8YcQAAAgQFtAQCCAoBZJ8nAAAAAAEDAwg="}
 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":415,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777909352,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734777909352,"pkt":"ABoRAAACABoRAAABCABFAAAoALVAABAGhdloEXIoCggAAQG7hEKlaTXTWpbKLVAS\/\/9FkgAA"}
@@ -157,10 +157,10 @@
 ~~ total active/idle flows...: 21/21
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6201483 bytes
-~~ total memory freed........: 6201483 bytes
+~~ total memory allocated....: 6201399 bytes
+~~ total memory freed........: 6201399 bytes
 ~~ total allocations/frees...: 122214/122214
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 495 chars
-~~ json string max len.......: 1719 chars
-~~ json string avg len.......: 1107 chars
+~~ json string max len.......: 1717 chars
+~~ json string avg len.......: 1106 chars
diff --git a/test/results/ubntac2.pcap.out b/test/results/ubntac2.pcap.out
index 2a70bff3a..4c38e985f 100644
--- a/test/results/ubntac2.pcap.out
+++ b/test/results/ubntac2.pcap.out
@@ -43,8 +43,8 @@
 ~~ total active/idle flows...: 8/8
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047049 bytes
-~~ total memory freed........: 6047049 bytes
+~~ total memory allocated....: 6047017 bytes
+~~ total memory freed........: 6047017 bytes
 ~~ total allocations/frees...: 121557/121557
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/ultrasurf.pcap.out b/test/results/ultrasurf.pcap.out
index 2b208744f..614abcb3d 100644
--- a/test/results/ultrasurf.pcap.out
+++ b/test/results/ultrasurf.pcap.out
@@ -5,21 +5,21 @@
 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731609846,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":2576,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2576,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731609846,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 04022{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1656652731609853,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2646,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":2646,"pkt_l4_len":2608,"thread_ts_usec":1656652731609853,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAKRM7vQAA3BtrfQTFEGQqEABfDhZQKC2ONCUpUkTKAEAFmmhsAAAEBCAom3sgHA1a0\/YkZzIRfJcoGEDhjun+5RWZFRHORheFaka9qWEEqwSnKRQ8+fGAhhFa7EN5cpLsXBaX2yHZz8DtP4L0FIaDBHwFd5rA4GP5cmI7bfwLgg4FVeGP7SjUTC6qb+HQHzgd9GKJejKikQgtNuMoyW+WltSykS7MMuwC9XmFm880JdkonHY1odOp0bZesqC0Ef58K3CfEAwAV1rHerMtEb3ZHcVOr9dSu4VHvVdRPp+8WfCOtT114DN9xODhN5xizXNsKGb1Vqn77M3rN9osNOzf3tytH8Pevd1aIgf3Sm6YXA7VR5D7dvmhs0FN4QC+LDtkE\/6thA0uo\/lnZqMEIHcwUsGe918WbIwSGOk2MJbaAbJZUODyOfxe+T03WsJGCGLuDQ0m7AsMClrqgh8OHbm5U9HMCsMr4h4pvEhR0z2I+R7A\/GAWfQ1Lv84asTQ\/KcjVoTGNO\/qR9qnBDPz02vpUg0t1qIn5OZjHUJc1XlP7bcvV\/wKw3OfG2mX63GGvc7i7QZES09OVvvvQOx27EiD1xANcAMElPBG4AZ\/1ImDDO55WnYWPfINUR0Htt3CDZHS99b7xjoML0TE0baQJ3Jm38p3DdfsEGrsmIokmWO1TpdGRxB4MJLY3wn7Tw4tqDNqBMVruqsIN3XOP1je5K4jtfip7MN5mhXqQwq26JbXu4RN0QZgBwifB\/DFQoswvG8No+jWGMXSh9v0kJl9fw8bhx9lZpA3tQmLgRL3sOqJAHaqHBZRkJhuHh+Rjm\/6hTfFQ00ehtauLThf9ezdb2uY49gvz2DGebsNmTjFsOx+X4R9hsdpnezkh4aEpX5uL1bXi1H6uS64VjoFNEDHQpZ+3uZrYCmJilgBV0bv0nVghQl4kU33Pf7GIoPZuXhIQfS9VrHsdHbZpH1PU8M\/9PRmRmYlmeapu7XEZp4CzDGYPDSedJ8vQLqPyHzVwGcjHckBVdpjNiPAG5UPQoZ3wCl\/PxEywufemrmfmR\/5AqOpW8\/Wur6zMxw5YPRRe\/bygJ0G9Yqw0LVPvEBxGwFY9uVVI6IGaHAasiMKQLbkze7bdXM6QNfYFDnbbaxoOEV8QDh7YIhuz4gfbAW6eyQbJT2jQKjEHkd0tMaupNho4gKsMUwsj4nZlzTYJVJpDMcLimISegAqBKQ4i8foUUKiadz6eosf+e\/Jex37VfE+krt3zlcpISr8HTnFM1USFF0+9ct3a5KjyNHIWXBbdEjluidEueiRiWyxf4cTH4FbCD2xO9GNRkq9QZppurtJaFbRjXCrw9UUutzbcN9EQ4Cq+gKBSyYXwmUbkSGOLO9rE323nvwyvDcYVdrUsP+BGDklMzvNUHuJnRFouZ1R0WCXxlJrCNrMkgI+iuTt0BJzGXzfEkqc7fmNoiossOF4BZK08wWnsMWJPMsI5Aw3iU49xeiNCj74DW2jR92gY79iEsFrre1ny3NbSwl8EGB091wIYQyL7Ho3Xf3P3gT7nJkJZVIupHy1AL3OnXFLu0aQ9jZogZz0sFxzcPAzim0\/TD+aEJKEn3h1ZCM0dvkLQLeFEGKVhxypzfJLDO0hydYwloEETx3qJaVHzqs8Wq+SgnnsMzDPiMy\/H9mXbpWFOmZUY8c+RgPNNwEPY9sWGgREkghLZgVI4BmbR+1He8AIC\/Jqb6\/fZGK9Su8InqtBz4VDwmCvVjB5VmwRYgEff9Co9KEAKioF+rxsp7jx4CUT\/dUpBgwtPw1AAqwXhQ\/uIBWqnOLtB+sJapVDGqCd6YbeW67lUJtDoMU8VaKm8fednX12fDvla7u1M+CXOyIf\/4rq46zKsHemwKXMSG27KxCoqvfpu2RFyDoNiwIkywHe+mu0KXU6r0uKXXuXHjcqE1XT+Ol42P4hE1aTwsVJT\/aLRIVQDwKL6IhfLinh4zf9x0O\/I\/C1GeMvABe16jJTVzGkcz49endJCMetsRgtWR7oSOwEn5bVIocg8jZsCjdrwEvd6kjZWMsRgHhtbLq+aU27mgxUfacXWiiGTsT33DZFYnj2Gbfgh1MUmZNuxbwGQK74YsSlD8+37pnUDCdBxPu+Gf64VQKHxJ9RtZ7tBvjcOGhEiQQM2Bqm9+kC5dGL6whXOTdBD0aHE3e3jNhysBJXeznMxXLuH5BpQBNhY+pGCD36HH\/gl2POk5EvjD5emciTPfEvMoX\/pO1twUedLTeXtt4V8bNumuTzdRWus9vZCGnaJKWYY+IluLtxDKaBHhULnRKPZr7a3fqY4eZZWnvSv+6SyQfi\/guF4IkYLhqf3LM1QbKUpuoYVTCXDg\/iejAGelMIOMZk\/34eSGVjsk9H4ZDrbf+Wviyu10e\/3LGX4vZqXdNId0qCEAQQsb5bj67rIpqEUfO1gjj68uRkOWA5pTXz1Cw5OGMJDODQJgEJUgUxpgbiqUn1yGaEKOOaiaN2Vv5\/u+w6mqQni+gBiA0+4K0zEMbn8XRxSib6SxlyLQVFPK3+8NFm9X2am1AtSH1\/PoCM1+A0L4I8UddMiaV4KJVbD4gIsbkZTEL2rNpB7+3TEPLkz\/oWqgDlYpiSJoug71nGWFcD+HEERUlO5Z93B7c4XWme9gT2XSraJ9EGS47MTy8E5gSuzHgT06aAD1VDe0EzdVIhzO6QfLKRVyqK\/DkDAcF1dU\/CysJQuLXO26HE1qiZstmUL\/PmaIF1CAre3aq1TiBtKi47RcAusmfTZViQ5pBnP52RilqIkeFHO7qJ+Xe7UbBid1eckGMDShESIKSMkg323ewkUsCQrdbbCQCNxMP\/vovWIiozrHVfadoXMR1+s3vDeGvdijxN0cQlXKhRXEHz1q9AFZPP6OvHtyaigQOx7Av7+CCavPWtRnhVyR2jLsjvU\/P8W5IFa8Qs0a8CJRQpkCWniRyCA3gsdHuiU5LPzN9N6ilFVKYWl8zCdx1E0DuWVnebVHPp\/mSPBcwJb6Kn0mZE5F6Slv4ios+F0zFBa\/+ONDhj8YI3D0pzybuWoGGURZpxxZvXyeMYFUqAzWQpmxOYCpDyYaRzpVXybXDJxWUfNGwmd6Ve5t6JHTxK332fJRagMHTraU5uEpzRuAnBCqVX\/orlzGUbI38lDmfktCRZhIZ0TA4WOuMezAS\/U5UeZ\/Ky36Btzeqc\/GtSNTwfx5pintfeIcHnEiV69AT2a7sR3PISNs\/w0efL492At330L6CabtPqbX+3L9tP+74e7pNSOxbl7oi\/mRnKkb9k8n2BH6yIJJt5VxxH74+2OAUxERThSHVZlYSiPBPktL4R30L859p0z2Uz6qmrKoN1is1fQXX8xGHOr7PkuLtDJqwFDVFJJ9YkA7Dx2pq++TaR\/9pl4AeqnylRZtWT3EJRF\/MYY3nnisHit78gzVET6d1BuDKtwoAyw4mKyfoqWDMp6JOacbgYmXKL3bRC0doX8dbGOchwnFREadeVLCi\/Q5"}
 02275{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1656652731631188,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1358,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":1358,"pkt_l4_len":1320,"thread_ts_usec":1656652731631188,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAFPM7xQAA3Bt\/lQTFEGQqEABfDhZQKC2OXGUpUkTKAEAFmw0YAAAEBCAom3sgTA1a0\/SxS3iaqHGBX0a8rgr8EFwZv7fbGR3LsZjVMCYTlteWImHMg7dpDQx6QAkVSKrBDRWsAgkFKUO9XRHQzEdcVJv+Jk6+iQYy27OR2Ruv0q0NyJCK8q8neLYQxD7xGx95YziHhCPmx+v2VJKWqXvo5pekBzrhigp\/0TmX3aYQplVTgwksBVP1wSVYSvnxpw4x3MGHY6EK1PhkChr6I2QaCOOskNMVQXjje52Gr0TD6cnIJniT0zvgTXSdGXH4d1pNmH6VI38eKJmR97TCaHW4VbObiULCNV965z+H0nCojIGmrzSNlYRkWatbld8Zbak+Ve9Ye2qFSUfesBybrU8MPKChWDS4szas\/0\/+O+hp7fTEBfmCOnTwpeZ+9ckDlu30IjD3klrlcZcGx59JJ23VaL3mRHXN2m7OYXYqgEUyKkpkk87MSdGKaT3iv+xeB8fdAD0S5iESPxvCatNGVxlnPWQC6LE2Mwk\/UPzo8wmxmWU\/4g2SzkG6fIhc2KfKoBTSS\/18XObBYhTCKn8tmchtQQnCFEhJwUqNPVQHAM7VWv97\/MrpK1Gg3ow57h3u6bsT3zD+7JqhTzfzSb+JLf+gPPuPmKrDBND362h9HtUe4u54hmK0emiAYbKHemgqk5ObUECg98wBR8GbmhEjkgqd5l9MpJjXEnZd7YjYb9HqCPVuTVofELhtwiquLU41YKvkqj9qHY3i83C4I5rsGWBIQz9jCnG\/LAO0gc+K5MhM0jD8w9afyXqZxxIWbvFCzYdvaAxFsd+dbs6QyAzMjBlRwZZJGoKCRudoGu78iGcHZ9v4JjFh8PqFI5RKE50MXupgqZhn5s+mncV4ED4BR62InyQMO+2lSV8XApXho3jZD2BZYaHL8BxzViM2AnSYU40nV5P\/9Zcawh1bVQjVPNsaeHWxMJc5P+uhgQ7yN5cDddbbbFops91CwGboz\/Y\/iUMqNL+Au752094lP9CLdBHTtF0nwGndsTr7PXV2am5lVFY+07I13Rnwh96VlnzAEErq6QUJMFpXVjoILKF75mfhkzufc5ww1btEyyIToFedBu8inrM2nSfVR4GSH1acVyxGJN\/xPMqMoz7qX11hSlDnDNA70XCXcPknSvGQJeC42YvRZuyBXR4bSZJpW3uxAIMisVpx8HuvqUlRDvWeTkl\/KlLkLPqVG6A7V9IJ4CzPp2LGxX0mxIii\/hq8qrdBvVjXBSMG2kFGd1Gk2CYKUDdUedzWwHbeA+x19\/Z8W9DscgX5Ingwo9qBoCIrSYVEyo5A+Bu6P2A6MYai8bIL3N1ixp0uHekzl1S5Y5ONHOtGVOFVnwRx49hvB6HPO9wc0rIJSIsq9YnBJNWgIZNFkCjlBnZHso+vfBKU6hgL+4B1v8gJk8\/+OinGcG00MXqyjoV0hIPvX8fcu6dH9TclFMmJS42m7WMCCPvMCk17qoAwiC5hrfwamrAiYI\/PEcMUUmJwNoLE7aKVZ7926CN5wXkVGlgQDYNSoxPqXoHqtbU6arZQtfgfxuD27lKKUbZm7keaLAlr7T5d0Wedi07GEwl0yp+Np4OWX5kU2Sgn3juSmnKnaCzCcLk2W4PsHrD6xcXA4Ni176mRo2kV4lUcSZ9ReNwImdlBbdKoXwKkzjV8Aa0hRPMOK2kTBCfB1GhE91TGa9BbzjtvK4JbGfzJcCXKDHd6qGUGMR+lTKBl2gIfVx9fr7SRFiR3Ky\/s="}
-01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731961797,"flow_dst_last_pkt_time":1656652731903862,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1280,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":41208,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731961797,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20837.6,"max":150485,"stddev":35657.5,"var":1271454592.0,"ent":3.6,"data": [7,21335,5,10969,29128,61453,2,10832,4,9189,30801,10791,6,19965,5,29291,5,3,3,9324,30618,150485,11,11883,141836,4,17858,20033,9,20018,10094,0]},"pktlen": {"min":98,"avg":1366.5,"max":2646,"stddev":1007.2,"var":1014474.8,"ent":4.5,"data": [2646,2646,1358,1358,2646,2646,98,98,1358,1358,2646,98,1358,1358,1350,2646,98,98,98,98,1358,98,1358,1358,2646,98,98,2646,1358,1358,2646,2646]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10],"s_to_c": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731961797,"flow_dst_last_pkt_time":1656652731903862,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1280,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":41208,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731961797,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20837.6,"max":150485,"stddev":35657.5,"var":1271454592.0,"ent":3.6,"data": [7,21335,5,10969,29128,61453,2,10832,4,9189,30801,10791,6,19965,5,29291,5,3,3,9324,30618,150485,11,11883,141836,4,17858,20033,9,20018,10094]},"pktlen": {"min":98,"avg":1366.5,"max":2646,"stddev":1007.2,"var":1014474.8,"ent":4.5,"data": [2646,2646,1358,1358,2646,2646,98,98,1358,1358,2646,98,1358,1358,1350,2646,98,98,98,98,1358,98,1358,1358,2646,98,98,2646,1358,1358,2646,2646]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10],"s_to_c": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2962,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778161151,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652778161151,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2962,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778161151,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652778161151,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAAPJe\/QAA\/BhQYCoQAF0ExRBmU6MOFszN1DQAAAACgAv\/\/UcYAAAIEBVAEAggKA1bisgAAAAABAwMI"}
 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2970,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652778372319,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAAPAAAQAA3BrPXQTFEGQqEABfDhZTovxOnA7MzdQ6gEnEg1IYAAAIEBYwEAggKJt9+2gNW4rIBAwMJ"}
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2974,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1656652778421535,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1656652778421535,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAANJfAQAA\/BhQfCoQAF0ExRBmU6MOFszN1Dr8TpwSAEAFXcrgAAAEBCAoDVuLwJt9+2g=="}
 01331{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2975,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778421539,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652778421539,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2977,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778421539,"flow_dst_last_pkt_time":1656652778641896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1288,"midstream":0,"thread_ts_usec":1656652778641896,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01942{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3003,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652779042511,"flow_dst_last_pkt_time":1656652779222772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":5006,"flow_dst_tot_l4_payload_len":4491,"midstream":0,"thread_ts_usec":1656652779222772,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62676.8,"max":270784,"stddev":99488.0,"var":9897854976.0,"ent":3.4,"data": [211168,260384,4,269572,5,10096,9894,260379,4,20013,20030,10943,4,270784,9694,4,10276,229481,5,19977,40078,29866,14,10092,29929,210869,5,2,9,9396,4,0]},"pktlen": {"min":70,"avg":367.3,"max":1418,"stddev":449.6,"var":202163.0,"ent":4.1,"data": [78,78,70,587,70,1358,1358,1274,70,70,70,134,156,708,125,105,101,126,101,70,112,1418,104,1166,698,668,70,105,262,205,105,131]},"bins": {"c_to_s": [7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01940{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3003,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652779042511,"flow_dst_last_pkt_time":1656652779222772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":5006,"flow_dst_tot_l4_payload_len":4491,"midstream":0,"thread_ts_usec":1656652779222772,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62676.8,"max":270784,"stddev":99488.0,"var":9897854976.0,"ent":3.4,"data": [211168,260384,4,269572,5,10096,9894,260379,4,20013,20030,10943,4,270784,9694,4,10276,229481,5,19977,40078,29866,14,10092,29929,210869,5,2,9,9396,4]},"pktlen": {"min":70,"avg":367.3,"max":1418,"stddev":449.6,"var":202163.0,"ent":4.1,"data": [78,78,70,587,70,1358,1358,1274,70,70,70,134,156,708,125,105,101,126,101,70,112,1418,104,1166,698,668,70,105,262,205,105,131]},"bins": {"c_to_s": [7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7468,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831434184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652831434184,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7468,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831434184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652831434184,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAAPDStQAA\/BncqCoQAF0ExRBmVCMOFn9EiagAAAACgAv\/\/g5YAAAIEBVAEAggKA1cWxwAAAAABAwMI"}
 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7491,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652831643678,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAAPAAAQAA3BrPXQTFEGQqEABfDhZUIPEwzlZ\/RImugEnEgLEwAAAIEBYwEAggKJuBPGgNXFscBAwMJ"}
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7496,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1656652831673898,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1656652831673898,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAANDSuQAA\/BncxCoQAF0ExRBmVCMOFn9EiazxMM5aAEAFXyn8AAAEBCAoDVxcDJuBPGg=="}
 01331{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7499,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831673908,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652831673908,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7502,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831673908,"flow_dst_last_pkt_time":1656652831894735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1288,"midstream":0,"thread_ts_usec":1656652831894735,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01926{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7528,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652832235258,"flow_dst_last_pkt_time":1656652832454997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":4808,"flow_dst_tot_l4_payload_len":5851,"midstream":0,"thread_ts_usec":1656652832454997,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":58770.5,"max":269120,"stddev":100848.2,"var":10170350592.0,"ent":3.1,"data": [209494,239714,10,251051,6,11439,12,260675,5,9589,20029,20030,269120,19987,5,231024,5,19971,10,4,3,3,2,249606,8,2,3,3,10064,10,3,0]},"pktlen": {"min":70,"avg":403.6,"max":1418,"stddev":479.7,"var":230117.0,"ent":4.2,"data": [78,78,70,587,70,1358,1358,1274,70,70,70,134,386,125,105,157,70,101,1418,446,1418,498,268,252,70,105,131,218,262,105,205,1358]},"bins": {"c_to_s": [7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01924{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7528,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652832235258,"flow_dst_last_pkt_time":1656652832454997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":4808,"flow_dst_tot_l4_payload_len":5851,"midstream":0,"thread_ts_usec":1656652832454997,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":58770.5,"max":269120,"stddev":100848.2,"var":10170350592.0,"ent":3.1,"data": [209494,239714,10,251051,6,11439,12,260675,5,9589,20029,20030,269120,19987,5,231024,5,19971,10,4,3,3,2,249606,8,2,3,3,10064,10,3]},"pktlen": {"min":70,"avg":403.6,"max":1418,"stddev":479.7,"var":230117.0,"ent":4.2,"data": [78,78,70,587,70,1358,1358,1274,70,70,70,134,386,125,105,157,70,101,1418,446,1418,498,268,252,70,105,131,218,262,105,205,1358]},"bins": {"c_to_s": [7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00923{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1802,"flow_dst_packets_processed":1169,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652778352349,"flow_dst_last_pkt_time":1656652778381476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":1802,"flow_src_tot_l4_payload_len":2740999,"flow_dst_tot_l4_payload_len":23869,"midstream":1,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 01154{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1826,"flow_dst_packets_processed":2699,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652831683725,"flow_dst_last_pkt_time":1656652831663695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1505,"flow_dst_max_l4_payload_len":2576,"flow_src_tot_l4_payload_len":76106,"flow_dst_tot_l4_payload_len":4310303,"midstream":0,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 01151{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":304,"flow_dst_packets_processed":342,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652839654386,"flow_dst_last_pkt_time":1656652839634354,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1391,"flow_dst_max_l4_payload_len":2576,"flow_src_tot_l4_payload_len":56893,"flow_dst_tot_l4_payload_len":279549,"midstream":0,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -32,8 +32,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6299970 bytes
-~~ total memory freed........: 6299970 bytes
+~~ total memory allocated....: 6299958 bytes
+~~ total memory freed........: 6299958 bytes
 ~~ total allocations/frees...: 129663/129663
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/upnp.pcap.out b/test/results/upnp.pcap.out
index eb40714c1..dd30b34a6 100644
--- a/test/results/upnp.pcap.out
+++ b/test/results/upnp.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037623 bytes
-~~ total memory freed........: 6037623 bytes
+~~ total memory allocated....: 6037615 bytes
+~~ total memory freed........: 6037615 bytes
 ~~ total allocations/frees...: 121509/121509
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
diff --git a/test/results/viber.pcap.out b/test/results/viber.pcap.out
index f067c7c7d..74feed818 100644
--- a/test/results/viber.pcap.out
+++ b/test/results/viber.pcap.out
@@ -56,7 +56,7 @@
 01053{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641865014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155641868230,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01113{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":89,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890520,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155641890520,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890790,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1527155641890790,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}}
-01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":8869.6,"max":47784,"stddev":14735.4,"var":217133360.0,"ent":3.3,"data": [19470,21663,1023,22292,3214,249,21,217,39369,88,574,349,10837,47784,22339,40800,258,54,169,260,19,213,268,217,249,532,41188,70,47,44,1080,0]},"pktlen": {"min":66,"avg":728.1,"max":1514,"stddev":673.4,"var":453425.2,"ent":4.3,"data": [74,74,66,249,66,1514,1514,1514,411,66,66,66,66,192,308,774,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,808,66,66,66,66,66]},"bins": {"c_to_s": [11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0]}}
+01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":8869.6,"max":47784,"stddev":14735.4,"var":217133360.0,"ent":3.3,"data": [19470,21663,1023,22292,3214,249,21,217,39369,88,574,349,10837,47784,22339,40800,258,54,169,260,19,213,268,217,249,532,41188,70,47,44,1080]},"pktlen": {"min":66,"avg":728.1,"max":1514,"stddev":673.4,"var":453425.2,"ent":4.3,"data": [74,74,66,249,66,1514,1514,1514,411,66,66,66,66,192,308,774,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,808,66,66,66,66,66]},"bins": {"c_to_s": [11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0]}}
 01381{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155644240774,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155644240774,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1527155644240774,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0lAAEARXnTAqAARrNkXaqQJAbsAHwH3DO5PoOHayJNED10MJ0pTvsIOJQ7muOI="}
@@ -93,7 +93,7 @@
 01039{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"viber.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155648513495,"flow_src_last_pkt_time":1527155648533128,"flow_dst_last_pkt_time":1527155648523699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155648533128,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"151.101.1.130","src_port":55746,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"venetia.iad.appboy.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 01053{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":217,"source":"viber.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155648513495,"flow_src_last_pkt_time":1527155648533128,"flow_dst_last_pkt_time":1527155648544884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155648544884,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"151.101.1.130","src_port":55746,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"venetia.iad.appboy.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"viber.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1527155666982912,"flow_dst_last_pkt_time":1527155646968117,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1527155666982912,"pkt":"AQBeAAD7MAdNo1+nCABFAABZIsxAAP8RtxLAqAAR4AAA+xTpFOkARSvGAAUAAAACAAAAAAAACV84MDU3NDFDOQRfc3ViC19nb29nbGVjYXN0BF90Y3AFbG9jYWwAAAwAAcAbAAwAAQ=="}
-01621{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":1934444.6,"max":10701681,"stddev":2902413.2,"var":8424002682880.0,"ent":3.5,"data": [54240,95930,270,43992,41788,57048,16087,92087,91609,10563926,10701681,4192149,4152724,4422076,4422070,309467,309552,21641,197002,97,215011,3974475,3934854,3635331,52554,3635290,52615,12721,140816,167507,4361173,0]},"pktlen": {"min":66,"avg":155.7,"max":596,"stddev":133.2,"var":17739.8,"ent":4.6,"data": [167,122,66,142,66,508,130,66,134,66,163,66,160,66,160,66,405,66,164,66,150,66,160,66,160,424,66,66,164,150,66,596]},"bins": {"c_to_s": [4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0]}}
+01619{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":1934444.6,"max":10701681,"stddev":2902413.2,"var":8424002682880.0,"ent":3.5,"data": [54240,95930,270,43992,41788,57048,16087,92087,91609,10563926,10701681,4192149,4152724,4422076,4422070,309467,309552,21641,197002,97,215011,3974475,3934854,3635331,52554,3635290,52615,12721,140816,167507,4361173]},"pktlen": {"min":66,"avg":155.7,"max":596,"stddev":133.2,"var":17739.8,"ent":4.6,"data": [167,122,66,142,66,508,130,66,134,66,163,66,160,66,160,66,405,66,164,66,150,66,160,66,160,424,66,66,164,150,66,596]},"bins": {"c_to_s": [4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0]}}
 00874{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00875{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":260,"source":"viber.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155670632131,"flow_src_last_pkt_time":1527155670632131,"flow_dst_last_pkt_time":1527155670632131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155670632131,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":45424,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -116,7 +116,7 @@
 01059{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":276,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671237849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155671250450,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}}
 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":278,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671423359,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155671423359,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}}
 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":281,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671423665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":4873,"midstream":0,"thread_ts_usec":1527155671423665,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","subjectDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}}}
-01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":326,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155670640484,"flow_src_last_pkt_time":1527155675775126,"flow_dst_last_pkt_time":1527155675692683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2947,"flow_dst_tot_l4_payload_len":930,"midstream":0,"thread_ts_usec":1527155675775126,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":129,"avg":328607.8,"max":525007,"stddev":210300.8,"var":44226416640.0,"ent":4.6,"data": [129,33097,500276,500261,503516,15204,503250,15302,516057,515704,477654,477626,36790,36786,524953,525007,440389,440669,68112,67828,523108,523160,411969,411845,84133,84199,517782,517791,399760,399674,114810,0]},"pktlen": {"min":62,"avg":163.2,"max":299,"stddev":100.4,"var":10086.1,"ent":4.7,"data": [299,62,118,299,118,62,299,76,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":326,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155670640484,"flow_src_last_pkt_time":1527155675775126,"flow_dst_last_pkt_time":1527155675692683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2947,"flow_dst_tot_l4_payload_len":930,"midstream":0,"thread_ts_usec":1527155675775126,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":129,"avg":328607.8,"max":525007,"stddev":210300.8,"var":44226416640.0,"ent":4.6,"data": [129,33097,500276,500261,503516,15204,503250,15302,516057,515704,477654,477626,36790,36786,524953,525007,440389,440669,68112,67828,523108,523160,411969,411845,84133,84199,517782,517791,399760,399674,114810]},"pktlen": {"min":62,"avg":163.2,"max":299,"stddev":100.4,"var":10086.1,"ent":4.7,"data": [299,62,118,299,118,62,299,76,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155679410348,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679410348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155679410348,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":33744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679410348,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155679410348,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8V2ZAAEAGC9HAqAAREskEA4PQAbvgGt8vAAAAAKAC\/\/+jOgAAAgQFtAQCCAoAIYhJAAAAAAEDAwc="}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":358,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155679411371,"flow_dst_last_pkt_time":1527155679411371,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":257,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":257,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155679411371,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -131,7 +131,7 @@
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":364,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679443640,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155679443640,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8AABAACsGeDcSyQQDwKgAEQG7g9B0pK754BrfMKASaN\/EGgAAAgQFtAQCCAoA5FGtACGISQEDAwc="}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":365,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1527155679444692,"flow_dst_last_pkt_time":1527155679443640,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1527155679444692,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0V2dAAEAGC9jAqAAREskEA4PQAbvgGt8wdKSu+oAQAq1ZEAAAAQEICgAhiFIA5FGt"}
 00882{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":374,"source":"viber.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1527155647500374,"flow_src_last_pkt_time":1527155647500402,"flow_dst_last_pkt_time":1527155647500374,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155680456436,"l3_proto":"ip6","src_ip":"fe80::3207:4dff:fea3:5fa7","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":396,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155683480847,"flow_dst_last_pkt_time":1527155683453495,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2479,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1527155683480847,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":261664.5,"max":531417,"stddev":244884.4,"var":59968385024.0,"ent":4.1,"data": [2549,75,31700,2304,505528,505691,496908,2109,6670,496650,8720,505323,505404,490799,100,14960,490657,15090,513169,513225,531417,103,49,531356,217,492947,492967,448249,97,448143,58424,0]},"pktlen": {"min":54,"avg":143.8,"max":299,"stddev":99.7,"var":9932.1,"ent":4.7,"data": [299,60,62,118,76,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,76,299]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":396,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155683480847,"flow_dst_last_pkt_time":1527155683453495,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2479,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1527155683480847,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":261664.5,"max":531417,"stddev":244884.4,"var":59968385024.0,"ent":4.1,"data": [2549,75,31700,2304,505528,505691,496908,2109,6670,496650,8720,505323,505404,490799,100,14960,490657,15090,513169,513225,531417,103,49,531356,217,492947,492967,448249,97,448143,58424]},"pktlen": {"min":54,"avg":143.8,"max":299,"stddev":99.7,"var":9932.1,"ent":4.7,"data": [299,60,62,118,76,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,76,299]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155685529875,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155685529875,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155685529875,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8KqJAAEARjp7AqAARwKgAD8OxADUAKKNciEIBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="}
 00996{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155685529875,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155685529875,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -201,8 +201,8 @@
 ~~ total active/idle flows...: 29/29
 ~~ total timeout flows.......: 3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6254128 bytes
-~~ total memory freed........: 6254128 bytes
+~~ total memory allocated....: 6254012 bytes
+~~ total memory freed........: 6254012 bytes
 ~~ total allocations/frees...: 122268/122268
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/vnc.pcap.out b/test/results/vnc.pcap.out
index 189a34536..4e319770e 100644
--- a/test/results/vnc.pcap.out
+++ b/test/results/vnc.pcap.out
@@ -5,13 +5,13 @@
 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1476111264364066,"flow_dst_last_pkt_time":1476111264364590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111264364590,"pkt":"xOodxQGGEP7tAkntCABFAAA0fFNAAIAGAADAqAJuX+0w0Br06Y8QfmeF6sUwZYASIABT+gAAAgQFtAEDAwgBAQQC"}
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1476111264402886,"flow_dst_last_pkt_time":1476111264364590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1476111264402886,"pkt":"EP7tAkntxOodxQGGCABFAAAoXs5AAHQGVC5f7TDQwKgCbumPGvTqxTBlEH5nhlAQQTqDEwAAAAAAAAAA"}
 01107{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111264453192,"flow_dst_last_pkt_time":1476111264414487,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":12,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":12,"midstream":0,"thread_ts_usec":1476111264453192,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
-01920{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111265262808,"flow_dst_last_pkt_time":1476111265262852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111265262852,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":57984.8,"max":545295,"stddev":113391.3,"var":12857594880.0,"ent":3.2,"data": [524,38820,49897,50306,38760,37061,157832,7049,164493,745,37544,181,35,36356,3,37327,1189,1,198,747,2,747,516,199031,310273,46,50,545295,719,22308,59473,0]},"pktlen": {"min":54,"avg":70.6,"max":89,"stddev":12.8,"var":163.2,"ent":5.0,"data": [66,66,60,66,66,62,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,54,77,54,84,82,86,60,60,81,54]},"bins": {"c_to_s": [12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01918{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111265262808,"flow_dst_last_pkt_time":1476111265262852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111265262852,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":57984.8,"max":545295,"stddev":113391.3,"var":12857594880.0,"ent":3.2,"data": [524,38820,49897,50306,38760,37061,157832,7049,164493,745,37544,181,35,36356,3,37327,1189,1,198,747,2,747,516,199031,310273,46,50,545295,719,22308,59473]},"pktlen": {"min":54,"avg":70.6,"max":89,"stddev":12.8,"var":163.2,"ent":5.0,"data": [66,66,60,66,66,62,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,54,77,54,84,82,86,60,60,81,54]},"bins": {"c_to_s": [12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3544,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1476111286462067,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3544,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111286462067,"pkt":"EP7tAkntxOodxQGGCABFAAA0be5AAHQGRQJf7TDQwKgCbslnGvTjPDftAAAAAIACIAD7xAAAAgQFrAEDAwIBAQQC"}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3545,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462174,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111286462174,"pkt":"xOodxQGGEP7tAkntCABFAAA0AmNAAIAGAADAqAJuX+0w0Br0yWdPW3mt4zw37oASIABT+gAAAgQFtAEDAwgBAQQC"}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3546,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1476111286499568,"flow_dst_last_pkt_time":1476111286462174,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1476111286499568,"pkt":"EP7tAkntxOodxQGGCABFAAAobe9AAHQGRQ1f7TDQwKgCbslnGvTjPDfuT1t5rlAQQTpSNgAAAAAAAAAA"}
 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3548,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111286549120,"flow_dst_last_pkt_time":1476111286510841,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":12,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":12,"midstream":0,"thread_ts_usec":1476111286549120,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
-01924{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3575,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111287358990,"flow_dst_last_pkt_time":1476111287224950,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111287358990,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":53542.1,"max":538844,"stddev":125065.9,"var":15641482240.0,"ent":3.0,"data": [107,37501,48667,49552,38334,36850,46381,48516,45667,1708,45497,182,37420,547,413,36764,2984,39898,772,181,762,824,181,2,1005,501772,46,703,538844,2,97724,0]},"pktlen": {"min":54,"avg":70.8,"max":89,"stddev":12.6,"var":158.0,"ent":5.0,"data": [66,66,60,66,66,62,60,54,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,77,54,84,82,86,60,60,81]},"bins": {"c_to_s": [13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
+01922{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3575,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111287358990,"flow_dst_last_pkt_time":1476111287224950,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111287358990,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":53542.1,"max":538844,"stddev":125065.9,"var":15641482240.0,"ent":3.0,"data": [107,37501,48667,49552,38334,36850,46381,48516,45667,1708,45497,182,37420,547,413,36764,2984,39898,772,181,762,824,181,2,1005,501772,46,703,538844,2,97724]},"pktlen": {"min":54,"avg":70.8,"max":89,"stddev":12.6,"var":158.0,"ent":5.0,"data": [66,66,60,66,66,62,60,54,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,77,54,84,82,86,60,60,81]},"bins": {"c_to_s": [13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 01157{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":684,"flow_dst_packets_processed":324,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111290613528,"flow_dst_last_pkt_time":1476111290394024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":17754,"flow_dst_tot_l4_payload_len":212,"midstream":0,"thread_ts_usec":1476111290613528,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 01158{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2485,"flow_dst_packets_processed":1058,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111280884547,"flow_dst_last_pkt_time":1476111280846496,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":64000,"flow_dst_tot_l4_payload_len":300,"midstream":0,"thread_ts_usec":1476111290613528,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}}
 00562{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","packets-captured":4551,"packets-processed":4551,"total-skipped-flows":0,"total-l4-payload-len":82266,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1476111290613528}
@@ -23,10 +23,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6173368 bytes
-~~ total memory freed........: 6173368 bytes
+~~ total memory allocated....: 6173360 bytes
+~~ total memory freed........: 6173360 bytes
 ~~ total allocations/frees...: 126052/126052
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
-~~ json string max len.......: 1929 chars
-~~ json string avg len.......: 1207 chars
+~~ json string max len.......: 1927 chars
+~~ json string avg len.......: 1206 chars
diff --git a/test/results/vrrp3.pcapng.out b/test/results/vrrp3.pcapng.out
index 62070809e..ed6e8115c 100644
--- a/test/results/vrrp3.pcapng.out
+++ b/test/results/vrrp3.pcapng.out
@@ -19,8 +19,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037507 bytes
-~~ total memory freed........: 6037507 bytes
+~~ total memory allocated....: 6037499 bytes
+~~ total memory freed........: 6037499 bytes
 ~~ total allocations/frees...: 121505/121505
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/vxlan.pcap.out b/test/results/vxlan.pcap.out
index 0c8852c3d..0dc90fb2b 100644
--- a/test/results/vxlan.pcap.out
+++ b/test/results/vxlan.pcap.out
@@ -41,8 +41,8 @@
 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1639650443097770,"flow_src_last_pkt_time":1639650443097770,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":62,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":62,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":62,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443097770,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":60230,"dst_port":4789,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1639650443097913,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":108,"pkt_l4_len":70,"thread_ts_usec":1639650443097913,"pkt":"AAy9Bjp0AAy9Bjp1gQAABQgARQAAWgOJAABAEcmwwKgWBMCoFgXrRhK1AEbaoAgAAAAABFcAZnpQqv+aHuppKm\/PCABFCAAoAABAAEAGnqYKChQEnfDgI7CqAbtGa9YTAAAAAFAEAABE2gAA"}
 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1639650443097920,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":108,"pkt_l4_len":70,"thread_ts_usec":1639650443097920,"pkt":"AAy9Bjp0AAy9Bjp1gQAABQgARQAAWgOKAABAEcmvwKgWBMCoFgXrRhK1AEbaoAgAAAAABFcAZnpQqv+aHuppKm\/PCABFCAAoAABAAEAGnqYKChQEnfDgI7CqAbtGa9YUAAAAAFAEAABE2QAA"}
-01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443255719,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35959,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443255719,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":10133.0,"max":140558,"stddev":31047.2,"var":963930240.0,"ent":2.2,"data": [10532,1402,105,10,11439,530,9521,113264,10571,140558,101,64,3057,190,558,175,1284,181,1316,3621,187,402,189,2282,184,313,186,833,189,694,184,0]},"pktlen": {"min":120,"avg":1169.7,"max":1500,"stddev":546.6,"var":298767.6,"ent":4.8,"data": [128,120,1500,1500,588,120,289,120,572,120,1500,1500,874,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":122,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442931548,"flow_src_last_pkt_time":1639650443264733,"flow_dst_last_pkt_time":1639650442931548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":392,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3106,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443264733,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":40646,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":10747.9,"max":150839,"stddev":30032.6,"var":901957440.0,"ent":2.5,"data": [10329,305,11530,200,4,1301,10031,41817,81536,403,150839,3109,802,1504,1403,3811,602,2508,504,1003,903,802,707,803,710,2107,301,402,2307,401,201,0]},"pktlen": {"min":120,"avg":143.1,"max":438,"stddev":68.2,"var":4655.6,"ent":4.9,"data": [128,120,438,120,120,120,184,285,120,120,303,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120]},"bins": {"c_to_s": [0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443255719,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35959,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443255719,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":10133.0,"max":140558,"stddev":31047.2,"var":963930240.0,"ent":2.2,"data": [10532,1402,105,10,11439,530,9521,113264,10571,140558,101,64,3057,190,558,175,1284,181,1316,3621,187,402,189,2282,184,313,186,833,189,694,184]},"pktlen": {"min":120,"avg":1169.7,"max":1500,"stddev":546.6,"var":298767.6,"ent":4.8,"data": [128,120,1500,1500,588,120,289,120,572,120,1500,1500,874,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":122,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442931548,"flow_src_last_pkt_time":1639650443264733,"flow_dst_last_pkt_time":1639650442931548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":392,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3106,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443264733,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":40646,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":10747.9,"max":150839,"stddev":30032.6,"var":901957440.0,"ent":2.5,"data": [10329,305,11530,200,4,1301,10031,41817,81536,403,150839,3109,802,1504,1403,3811,602,2508,504,1003,903,802,707,803,710,2107,301,402,2307,401,201]},"pktlen": {"min":120,"avg":143.1,"max":438,"stddev":68.2,"var":4655.6,"ent":4.9,"data": [128,120,438,120,120,120,184,285,120,120,303,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120]},"bins": {"c_to_s": [0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1639650442864784,"flow_src_last_pkt_time":1639650442864881,"flow_dst_last_pkt_time":1639650442864784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":84,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":84,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":60351,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00903{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1639650442902284,"flow_src_last_pkt_time":1639650442930989,"flow_dst_last_pkt_time":1639650442902284,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":141,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":270,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":50251,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":56,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443276182,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68647,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -61,8 +61,8 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6052352 bytes
-~~ total memory freed........: 6052352 bytes
+~~ total memory allocated....: 6052316 bytes
+~~ total memory freed........: 6052316 bytes
 ~~ total allocations/frees...: 121694/121694
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/wa_video.pcap.out b/test/results/wa_video.pcap.out
index 5c681e28c..367b7bfbe 100644
--- a/test/results/wa_video.pcap.out
+++ b/test/results/wa_video.pcap.out
@@ -35,10 +35,10 @@
 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455770313920,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":137,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":137,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455770313920,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"thread_ts_usec":1561455770313920,"pkt":"AQBef\/\/6kLkxKPrKCABFAAClcA8AAAIRlYrAqAIM7\/\/\/+shNB2wAkeqFTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="}
 00901{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455770313920,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":137,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":137,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455770313920,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}}
-01570{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":181593.4,"max":2404473,"stddev":480680.3,"var":231053524992.0,"ent":2.4,"data": [51726,176830,2,439642,1227815,753,306057,108901,2404473,241,10,252,9,41,323,133116,635,40681,277,7651,7949,1743,1602,528764,1087,660,696,654,2651,2561,0,0]},"pktlen": {"min":66,"avg":282.4,"max":1454,"stddev":335.2,"var":112371.9,"ent":4.3,"data": [614,66,1454,169,522,522,346,203,239,1454,66,66,78,66,66,66,78,242,242,66,66,242,66,418,66,228,226,220,220,220,220,220]},"bins": {"c_to_s": [11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0]}}
+01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":181593.4,"max":2404473,"stddev":480680.3,"var":231053524992.0,"ent":2.4,"data": [51726,176830,2,439642,1227815,753,306057,108901,2404473,241,10,252,9,41,323,133116,635,40681,277,7651,7949,1743,1602,528764,1087,660,696,654,2651,2561]},"pktlen": {"min":66,"avg":282.4,"max":1454,"stddev":335.2,"var":112371.9,"ent":4.3,"data": [614,66,1454,169,522,522,346,203,239,1454,66,66,78,66,66,66,78,242,242,66,66,242,66,418,66,228,226,220,220,220,220,220]},"bins": {"c_to_s": [11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0]}}
 00882{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00883{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
-01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1561455769789452,"flow_src_last_pkt_time":1561455770782169,"flow_dst_last_pkt_time":1561455770781798,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":8102,"flow_dst_tot_l4_payload_len":1614,"midstream":0,"thread_ts_usec":1561455770782169,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":53688,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":64034.3,"max":550126,"stddev":135549.6,"var":18373693440.0,"ent":3.1,"data": [95,13142,1109,548212,794,550126,16210,117,20333,106,23568,573,14505,979,116,79305,29641,99,23164,167,19951,342,24390,3500,104447,150456,15882,197610,75380,2499,68245,0]},"pktlen": {"min":44,"avg":345.6,"max":514,"stddev":205.8,"var":42355.1,"ent":4.7,"data": [168,168,86,86,168,514,86,514,514,514,514,514,514,48,514,514,44,514,514,514,514,514,514,514,168,86,62,514,62,514,514,62]},"bins": {"c_to_s": [3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1561455769789452,"flow_src_last_pkt_time":1561455770782169,"flow_dst_last_pkt_time":1561455770781798,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":8102,"flow_dst_tot_l4_payload_len":1614,"midstream":0,"thread_ts_usec":1561455770782169,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":53688,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":64034.3,"max":550126,"stddev":135549.6,"var":18373693440.0,"ent":3.1,"data": [95,13142,1109,548212,794,550126,16210,117,20333,106,23568,573,14505,979,116,79305,29641,99,23164,167,19951,342,24390,3500,104447,150456,15882,197610,75380,2499,68245]},"pktlen": {"min":44,"avg":345.6,"max":514,"stddev":205.8,"var":42355.1,"ent":4.7,"data": [168,168,86,86,168,514,86,514,514,514,514,514,514,48,514,514,44,514,514,514,514,514,514,514,168,86,62,514,62,514,514,62]},"bins": {"c_to_s": [3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455772049243,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":300,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455772049243,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00911{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1561455772049243,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqwAAP8RG\/kAAAAA\/\/\/\/\/wBEAEMBNNtQAQEGAH5K8tcAMwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"}
 00956{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455772049243,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":300,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455772049243,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lucas-imac","dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}}}
@@ -55,7 +55,7 @@
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":434,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1561455782059394,"flow_dst_last_pkt_time":1561455781352254,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782059394,"pkt":"xiwDYGpkkLkxKPrKCABFAABI8PwAAEARMsXAqAIMW\/w4M9G4f4EANE0kAAEAGCESpEKAWzwjt5VRcfVmBmsACAAUJw9zjdQvQsjy5FQih0Itb6wHKg0="}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":485,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1561455782574285,"flow_dst_last_pkt_time":1561455781247252,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782574285,"pkt":"xiwDYGpkkLkxKPrKCABFAABIwHEAAEARqAPAqAIMATxOQNG46GMANGXPAAEAGCESpEIoM9pd\/2PDbhKoL1oACAAUvqQBu1i76V7zg0ib1\/6QLghtUUY="}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":497,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1561455782679175,"flow_dst_last_pkt_time":1561455781352254,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782679175,"pkt":"xiwDYGpkkLkxKPrKCABFAABINRkAAEAR7qjAqAIMW\/w4M9G4f4EANKRJAAEAGCESpEL4j9YAEpPJGTu3VCAACAAUGXORRrB48FGvPcJutSVccHGlcxM="}
-01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":623,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1561455781352254,"flow_src_last_pkt_time":1561455783672290,"flow_dst_last_pkt_time":1561455783683909,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1118,"flow_dst_max_l4_payload_len":182,"flow_src_tot_l4_payload_len":15240,"flow_dst_tot_l4_payload_len":615,"midstream":0,"thread_ts_usec":1561455783683909,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","src_port":53688,"dst_port":32641,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":150054.5,"max":1979427,"stddev":383224.6,"var":146861080576.0,"ent":2.7,"data": [707140,619781,619147,1979427,36290,69699,132037,26361,100137,1489,36501,24632,139,224,338,341,10692,26140,102372,15137,296,563,516,886,169,757,7597,915,148,631,131189,0]},"pktlen": {"min":86,"avg":537.5,"max":1160,"stddev":432.0,"var":186635.8,"ent":4.5,"data": [86,86,86,86,86,86,86,170,86,179,164,144,913,913,913,912,1160,208,157,212,1036,1036,1036,1036,1036,1034,164,934,934,934,1062,224]},"bins": {"c_to_s": [0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":623,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1561455781352254,"flow_src_last_pkt_time":1561455783672290,"flow_dst_last_pkt_time":1561455783683909,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1118,"flow_dst_max_l4_payload_len":182,"flow_src_tot_l4_payload_len":15240,"flow_dst_tot_l4_payload_len":615,"midstream":0,"thread_ts_usec":1561455783683909,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","src_port":53688,"dst_port":32641,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":150054.5,"max":1979427,"stddev":383224.6,"var":146861080576.0,"ent":2.7,"data": [707140,619781,619147,1979427,36290,69699,132037,26361,100137,1489,36501,24632,139,224,338,341,10692,26140,102372,15137,296,563,516,886,169,757,7597,915,148,631,131189]},"pktlen": {"min":86,"avg":537.5,"max":1160,"stddev":432.0,"var":186635.8,"ent":4.5,"data": [86,86,86,86,86,86,86,170,86,179,164,144,913,913,913,912,1160,208,157,212,1036,1036,1036,1036,1036,1034,164,934,934,934,1062,224]},"bins": {"c_to_s": [0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455791449110,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455791449110,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00963{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455791449110,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxMkoAAEARwOHAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="}
 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455791449110,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455791449110,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -91,8 +91,8 @@
 ~~ total active/idle flows...: 14/14
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6112364 bytes
-~~ total memory freed........: 6112364 bytes
+~~ total memory allocated....: 6112308 bytes
+~~ total memory freed........: 6112308 bytes
 ~~ total allocations/frees...: 123181/123181
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/wa_voice.pcap.out b/test/results/wa_voice.pcap.out
index b55763fff..10f6dce70 100644
--- a/test/results/wa_voice.pcap.out
+++ b/test/results/wa_voice.pcap.out
@@ -23,7 +23,7 @@
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1561455688704143,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1561455688744885,"pkt":"kLkxKPrKxiwDYGpkCABFAAA8AAAAAFMG8uKd8BQ1wKgCDBRmwMsu6BkVm9EK2qASbHAbGAAAAgQFeAQCCAoefUIDNM3yoAEDAwg="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1561455688841176,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455688841176,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGxerAqAIMnfAUNcDLFGab0QraLugZFoAQCAytcgAAAQEICjTN8zsefUID"}
 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689011542,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":256,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":256,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689011542,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
-01694{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689377891,"flow_dst_last_pkt_time":1561455689390636,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":286,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":6993,"midstream":0,"thread_ts_usec":1561455689390636,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43878.7,"max":304081,"stddev":76394.5,"var":5836114944.0,"ent":3.2,"data": [40742,137033,170366,304081,130232,56,30959,5260,28,391,1,177,42,1186,210132,335,9,41,206,11,311,41447,129925,50,6,6,5,1043,24269,131853,38,0]},"pktlen": {"min":66,"avg":309.4,"max":1454,"stddev":467.5,"var":218553.5,"ent":3.9,"data": [78,74,66,322,66,123,117,151,1454,106,1454,169,1454,178,1454,66,66,66,66,66,66,66,1059,98,112,133,96,125,66,352,66,66]},"bins": {"c_to_s": [11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689377891,"flow_dst_last_pkt_time":1561455689390636,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":286,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":6993,"midstream":0,"thread_ts_usec":1561455689390636,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43878.7,"max":304081,"stddev":76394.5,"var":5836114944.0,"ent":3.2,"data": [40742,137033,170366,304081,130232,56,30959,5260,28,391,1,177,42,1186,210132,335,9,41,206,11,311,41447,129925,50,6,6,5,1043,24269,131853,38]},"pktlen": {"min":66,"avg":309.4,"max":1454,"stddev":467.5,"var":218553.5,"ent":3.9,"data": [78,74,66,322,66,123,117,151,1454,106,1454,169,1454,178,1454,66,66,66,66,66,66,66,1059,98,112,133,96,125,66,352,66,66]},"bins": {"c_to_s": [11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455689728258,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689728258,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":55296,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1561455689728258,"pkt":"xiwDYGpkkLkxKPrKCABFAABL058AAP8RYqTAqAIMwKgCAdgAADUAN5FDM2kBAAABAAAAAAAADG1lZGlhLW14cDEtMQNjZG4Id2hhdHNhcHADbmV0AAABAAE="}
 01023{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455689728258,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689728258,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":55296,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.WhatsAppFiles","proto_id":"5.242","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -35,7 +35,7 @@
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1561455690036803,"flow_dst_last_pkt_time":1561455689928899,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455690036803,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGAtDAqAIMHw1WM8VHAbtOnG1l7gMI\/YAQBAZZdQAAAQEICjTOBV2HqaVz"}
 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":67,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690039586,"flow_dst_last_pkt_time":1561455689928899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455690039586,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"b92a79ed03c3ff5611abb2305370d3e3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690039586,"flow_dst_last_pkt_time":1561455690058075,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1561455690058075,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","tls": {"version":"TLSv1.3","ja3":"b92a79ed03c3ff5611abb2305370d3e3","ja3s":"475c9302dc42b2751db9edcac3b74891","unsafe_cipher":0,"cipher":"TLS_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01694{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690224696,"flow_dst_last_pkt_time":1561455690224643,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1331,"flow_dst_tot_l4_payload_len":7979,"midstream":0,"thread_ts_usec":1561455690224696,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21034.6,"max":163286,"stddev":47564.2,"var":2262348544.0,"ent":2.5,"data": [19749,127653,2783,126251,2925,28,22,21046,163,145211,12,6,5,40,5,163286,2,38,250,1,16,17472,279,12,8,2386,284,150,389,567,0,0]},"pktlen": {"min":66,"avg":357.6,"max":1454,"stddev":489.7,"var":239839.3,"ent":4.0,"data": [78,74,66,583,66,1454,1454,349,66,66,130,112,109,101,402,325,66,237,140,97,66,114,498,66,66,66,66,1454,66,1454,1454,97]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690224696,"flow_dst_last_pkt_time":1561455690224643,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1331,"flow_dst_tot_l4_payload_len":7979,"midstream":0,"thread_ts_usec":1561455690224696,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21034.6,"max":163286,"stddev":47564.2,"var":2262348544.0,"ent":2.5,"data": [19749,127653,2783,126251,2925,28,22,21046,163,145211,12,6,5,40,5,163286,2,38,250,1,16,17472,279,12,8,2386,284,150,389,567]},"pktlen": {"min":66,"avg":357.6,"max":1454,"stddev":489.7,"var":239839.3,"ent":4.0,"data": [78,74,66,583,66,1454,1454,349,66,66,130,112,109,101,402,325,66,237,140,97,66,114,498,66,66,66,66,1454,66,1454,1454,97]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455701309996,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455701309996,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455701309996,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxXcMAAEARlWjAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="}
 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455701309996,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455701309996,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -98,7 +98,7 @@
 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":250,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1561455707513528,"flow_dst_last_pkt_time":1561455707511792,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455707513528,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGxevAqAIMnfAUNMVIAbt68MpOu7CnhYAQBAb72QAAAQEICjTOSZq1oF6C"}
 01152{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":251,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707524675,"flow_dst_last_pkt_time":1561455707511792,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455707524675,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"pps.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"7a7a639628f0fe5c7e057628a5bbec5a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":253,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707524675,"flow_dst_last_pkt_time":1561455707564246,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1561455707564246,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"pps.whatsapp.net","tls": {"version":"TLSv1.3","ja3":"7a7a639628f0fe5c7e057628a5bbec5a","ja3s":"475c9302dc42b2751db9edcac3b74891","unsafe_cipher":0,"cipher":"TLS_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
-01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":293,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707778028,"flow_dst_last_pkt_time":1561455707778471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":928,"flow_dst_tot_l4_payload_len":9370,"midstream":0,"thread_ts_usec":1561455707778471,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":19593.0,"max":129132,"stddev":30818.3,"var":949767616.0,"ent":3.5,"data": [37234,38970,11147,51469,985,103,11,42805,136,34645,3771,380,216,299,76165,5,34895,421,279,3605,27,2938,1342,3436,77447,53735,129132,1406,40,219,120,0]},"pktlen": {"min":66,"avg":388.4,"max":1454,"stddev":526.3,"var":277041.4,"ent":4.0,"data": [78,74,66,583,66,1454,1454,347,66,66,130,112,109,101,258,237,140,66,66,97,66,97,66,101,66,66,516,66,1454,1454,1454,1454]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":293,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707778028,"flow_dst_last_pkt_time":1561455707778471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":928,"flow_dst_tot_l4_payload_len":9370,"midstream":0,"thread_ts_usec":1561455707778471,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":19593.0,"max":129132,"stddev":30818.3,"var":949767616.0,"ent":3.5,"data": [37234,38970,11147,51469,985,103,11,42805,136,34645,3771,380,216,299,76165,5,34895,421,279,3605,27,2938,1342,3436,77447,53735,129132,1406,40,219,120]},"pktlen": {"min":66,"avg":388.4,"max":1454,"stddev":526.3,"var":277041.4,"ent":4.0,"data": [78,74,66,583,66,1454,1454,347,66,66,130,112,109,101,258,237,140,66,66,97,66,97,66,101,66,66,516,66,1454,1454,1454,1454]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":347,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1561455709888553,"flow_dst_last_pkt_time":1561455705874172,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1561455709888553,"pkt":"AQBeAAD7kLkxKPrKCABFAABNP9UAAP8R2BrAqAIM4AAA+xTpFOkAOUTGAAAAAAACAAAAAAAABV9yYW9wBF90Y3AFbG9jYWwAAAwAAQhfYWlycGxhecASAAwAAQ=="}
 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1561455709890098,"flow_dst_last_pkt_time":1561455705874523,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":111,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":111,"pkt_l4_len":57,"thread_ts_usec":1561455709890098,"pkt":"MzMAAAD7kLkxKPrKht1gDagnADkR\/\/6AAAAAAAAABBRAnYr9nwX\/AgAAAAAAAAAAAAAAAAD7FOkU6QA5e0MAAAAAAAIAAAAAAAAFX3Jhb3AEX3RjcAVsb2NhbAAADAABCF9haXJwbGF5wBIADAAB"}
 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_src_last_pkt_time":1561455709984212,"flow_dst_last_pkt_time":1561455706979952,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":174,"pkt_l4_len":140,"thread_ts_usec":1561455709984212,"pkt":"AQBef\/\/6kLkxKPrKCABFAACggMsAAAIRhNPAqAIM7\/\/\/+vzMB2wAjOY9TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpzZXJ2aWNlOldBTklQQ29ubmVjdGlvbjoxDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KTVg6IDMNCg0K"}
@@ -114,14 +114,14 @@
 01095{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":465,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455730495456,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455730495456,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":473,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1561455731073692,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731073692,"pkt":"kLkxKPrKxiwDYGpkCABFAABIAlEAADERMHFb\/DgzwKgCDH\/A3AgANGApAAEAGCESpELobM0y9AHrYlN0+hgACAAU\/c20Lcr5wjE5JYKvJct9qbua6og="}
 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":477,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1561455731356183,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455731356183,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxjdoAAEARZVHAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="}
-01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":487,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1561455706912375,"flow_src_last_pkt_time":1561455731523132,"flow_dst_last_pkt_time":1561455731536124,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":278,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":1833,"midstream":0,"thread_ts_usec":1561455731536124,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":56328,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1588209.8,"max":12196243,"stddev":3050402.8,"var":9304956469248.0,"ent":3.2,"data": [61,13448,128,12194152,12196243,104402,58,105108,1,108628,104619,3043264,3048902,3100925,3096031,3015294,3016553,2001940,2156,107078,164036,190107,88523,28769,198646,133957,3008088,90958,35571,314,36546,0]},"pktlen": {"min":44,"avg":124.0,"max":320,"stddev":87.2,"var":7598.9,"ent":4.7,"data": [168,168,86,86,48,44,168,168,86,86,48,44,48,44,48,44,48,44,88,68,246,275,254,164,320,248,316,48,44,168,168,86]},"bins": {"c_to_s": [6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":487,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1561455706912375,"flow_src_last_pkt_time":1561455731523132,"flow_dst_last_pkt_time":1561455731536124,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":278,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":1833,"midstream":0,"thread_ts_usec":1561455731536124,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":56328,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1588209.8,"max":12196243,"stddev":3050402.8,"var":9304956469248.0,"ent":3.2,"data": [61,13448,128,12194152,12196243,104402,58,105108,1,108628,104619,3043264,3048902,3100925,3096031,3015294,3016553,2001940,2156,107078,164036,190107,88523,28769,198646,133957,3008088,90958,35571,314,36546]},"pktlen": {"min":44,"avg":124.0,"max":320,"stddev":87.2,"var":7598.9,"ent":4.7,"data": [168,168,86,86,48,44,168,168,86,86,48,44,48,44,48,44,48,44,88,68,246,275,254,164,320,248,316,48,44,168,168,86]},"bins": {"c_to_s": [6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455731665769,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455731665769,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"1.60.78.64","src_port":56328,"dst_port":64282,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731665769,"pkt":"xiwDYGpkkLkxKPrKCABFAABId7IAAEAR8MLAqAIMATxOQNwI+xoANL93AAEAGCESpEJNNg9OA5IbZKhKGmoACAAUkUJIDnID0ka3i4LpQfhGRUa3K\/w="}
 01093{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455731665769,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455731665769,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"1.60.78.64","src_port":56328,"dst_port":64282,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":503,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1561455731697327,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731697327,"pkt":"kLkxKPrKxiwDYGpkCABFAABI\/gUAADERNLxb\/DgzwKgCDH\/A3AgANISZAAEAGCESpEKSaahiiU3KFyQDpDgACAAUPvQQqrwwB3kMX1876e4ssz8N17Y="}
 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":518,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1561455732298035,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455732298035,"pkt":"xiwDYGpkkLkxKPrKCABFAABIre0AAEARuofAqAIMATxOQNwI+xoANHLOAAEAGCESpEIrgAUzrwTeBSrSSH8ACAAUv8Ev3sei+dcRfEZy9ei0mRui3Zw="}
 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":528,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1561455732919461,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455732919461,"pkt":"xiwDYGpkkLkxKPrKCABFAABIV+kAAEAREIzAqAIMATxOQNwI+xoANBvDAAEAGCESpELCs7YUVt8QVzF73yEACAAUMmINwHB46SKyj3xrODHnuD6GHSA="}
-01907{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":538,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455733316995,"flow_dst_last_pkt_time":1561455733325980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":273,"flow_src_tot_l4_payload_len":1873,"flow_dst_tot_l4_payload_len":1869,"midstream":0,"thread_ts_usec":1561455733325980,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":182324.6,"max":1203723,"stddev":228895.9,"var":52393320448.0,"ent":4.2,"data": [578236,623635,1203723,72457,167216,11596,115693,158378,2,172820,173607,169808,156213,136586,155315,179817,99336,157427,38286,163380,181314,166574,142422,2967,25967,115313,6126,171847,106305,56249,143448,0]},"pktlen": {"min":68,"avg":158.9,"max":315,"stddev":51.7,"var":2672.5,"ent":4.9,"data": [86,86,86,86,86,86,213,274,164,175,315,151,173,173,147,163,150,164,186,178,169,173,178,184,164,68,164,164,170,164,153,193]},"bins": {"c_to_s": [1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01905{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":538,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455733316995,"flow_dst_last_pkt_time":1561455733325980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":273,"flow_src_tot_l4_payload_len":1873,"flow_dst_tot_l4_payload_len":1869,"midstream":0,"thread_ts_usec":1561455733325980,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":182324.6,"max":1203723,"stddev":228895.9,"var":52393320448.0,"ent":4.2,"data": [578236,623635,1203723,72457,167216,11596,115693,158378,2,172820,173607,169808,156213,136586,155315,179817,99336,157427,38286,163380,181314,166574,142422,2967,25967,115313,6126,171847,106305,56249,143448]},"pktlen": {"min":68,"avg":158.9,"max":315,"stddev":51.7,"var":2672.5,"ent":4.9,"data": [86,86,86,86,86,86,213,274,164,175,315,151,173,173,147,163,150,164,186,178,169,173,178,184,164,68,164,164,170,164,153,193]},"bins": {"c_to_s": [1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00915{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":632,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1561455705874172,"flow_src_last_pkt_time":1561455737893179,"flow_dst_last_pkt_time":1561455705874172,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":138,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455737893179,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_homekit._tcp.local","mdns": {}}}
 00924{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":633,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1561455705874523,"flow_src_last_pkt_time":1561455737895397,"flow_dst_last_pkt_time":1561455705874523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":138,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455737895397,"l3_proto":"ip6","src_ip":"fe80::414:409d:8afd:9f05","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_homekit._tcp.local","mdns": {}}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":640,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455738163757,"flow_src_last_pkt_time":1561455738163757,"flow_dst_last_pkt_time":1561455738163757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1561455738163757,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"169.254.162.244","src_port":49352,"dst_port":49159,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -180,8 +180,8 @@
 ~~ total active/idle flows...: 28/28
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6123327 bytes
-~~ total memory freed........: 6123327 bytes
+~~ total memory allocated....: 6123215 bytes
+~~ total memory freed........: 6123215 bytes
 ~~ total allocations/frees...: 122494/122494
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/waze.pcap.out b/test/results/waze.pcap.out
index f0fb25c5a..f30402458 100644
--- a/test/results/waze.pcap.out
+++ b/test/results/waze.pcap.out
@@ -98,8 +98,8 @@
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1435587872705148,"flow_dst_last_pkt_time":1435587872704043,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587872705148,"pkt":"ABoRAAACABoRAAABCABFAAAoY6pAAEAGsooKCAABNubjrLHyAFAC8Q5A\/Q7xwVAQ\/\/\/Y9AAA"}
 01018{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1435587872702798,"flow_src_last_pkt_time":1435587872706282,"flow_dst_last_pkt_time":1435587872704043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587872706282,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Waze","proto_id":"7.135","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"cres.waze.com","http": {"url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}}}
 01026{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":203,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1435587872702798,"flow_src_last_pkt_time":1435587872706862,"flow_dst_last_pkt_time":1435587872706630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587872706862,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Waze","proto_id":"7.135","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"cres.waze.com","http": {"url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}}}
-01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2041,"avg":339878.5,"max":3680611,"stddev":884676.9,"var":782653259776.0,"ent":2.8,"data": [3747,3915,21835,22372,3677989,3680611,286073,284297,338879,393453,330278,329396,54620,2041,179324,179523,2610,51219,50746,3092,28507,76268,51141,51323,122745,73523,10248,59104,52582,58295,56477,0]},"pktlen": {"min":54,"avg":1966.7,"max":11833,"stddev":3090.5,"var":9551439.0,"ent":3.5,"data": [74,54,54,317,54,1422,54,2790,54,5526,54,8262,54,2687,54,1422,54,1422,54,9630,54,2790,54,5526,54,5526,54,2790,54,11833,54,54]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
-01588{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":169,"avg":289408.8,"max":1658841,"stddev":505049.6,"var":255075106816.0,"ent":3.3,"data": [1230,10859,357221,367097,474392,475318,8069,9038,265872,317654,51992,865,554,304,254,1430075,1483289,119461,172808,51439,51948,1420,901,467,433,340,381,1601922,1658841,169,57061,0]},"pktlen": {"min":54,"avg":567.8,"max":5515,"stddev":1270.8,"var":1615041.0,"ent":3.1,"data": [74,54,54,236,54,3201,54,380,54,288,203,54,590,54,115,54,5515,54,203,54,590,54,590,54,590,54,115,54,4411,54,203,54]},"bins": {"c_to_s": [5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1]}}
+01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2041,"avg":339878.5,"max":3680611,"stddev":884676.9,"var":782653259776.0,"ent":2.8,"data": [3747,3915,21835,22372,3677989,3680611,286073,284297,338879,393453,330278,329396,54620,2041,179324,179523,2610,51219,50746,3092,28507,76268,51141,51323,122745,73523,10248,59104,52582,58295,56477]},"pktlen": {"min":54,"avg":1966.7,"max":11833,"stddev":3090.5,"var":9551439.0,"ent":3.5,"data": [74,54,54,317,54,1422,54,2790,54,5526,54,8262,54,2687,54,1422,54,1422,54,9630,54,2790,54,5526,54,5526,54,2790,54,11833,54,54]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":169,"avg":289408.8,"max":1658841,"stddev":505049.6,"var":255075106816.0,"ent":3.3,"data": [1230,10859,357221,367097,474392,475318,8069,9038,265872,317654,51992,865,554,304,254,1430075,1483289,119461,172808,51439,51948,1420,901,467,433,340,381,1601922,1658841,169,57061]},"pktlen": {"min":54,"avg":567.8,"max":5515,"stddev":1270.8,"var":1615041.0,"ent":3.1,"data": [74,54,54,236,54,3201,54,380,54,288,203,54,590,54,115,54,5515,54,203,54,590,54,590,54,590,54,115,54,4411,54,203,54]},"bins": {"c_to_s": [5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1]}}
 01555{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}}
 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":247,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1435587871929480,"flow_src_last_pkt_time":1435587872139946,"flow_dst_last_pkt_time":1435587873486827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1435587873486827,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}}
 01444{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1435587871935294,"flow_src_last_pkt_time":1435587872566264,"flow_dst_last_pkt_time":1435587873688799,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":2111,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":3479,"midstream":0,"thread_ts_usec":1435587873688799,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}}}
@@ -168,10 +168,10 @@
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":461,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589106,"pkt":"ABoRAAACABoRAAABCABFAAAoS15AAEAGGJgKCAAByKAEMew\/Abump6BqWVh1BVAR\/\/\/VjgAA"}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":462,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589338,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589338,"pkt":"ABoRAAACABoRAAABCABFAAAodVJAABAGHqTIoAQxCggAAQG77D9ZWHUFpqega1AQ\/\/\/VjgAA"}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":463,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589665,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589665,"pkt":"ABoRAAACABoRAAABCABFAAAodVNAABAGHqPIoAQxCggAAQG77D9ZWHUFpqega1AR\/\/\/VjQAA"}
-01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":170355.3,"max":415925,"stddev":135089.4,"var":18249146368.0,"ent":4.4,"data": [1325,1585,226918,227495,336533,387205,51299,1169,297221,297772,252519,309444,358705,415925,755,475,490,567,254342,305451,51846,52474,211304,161331,247956,249119,81326,79510,208662,209727,563,0]},"pktlen": {"min":54,"avg":1838.8,"max":21942,"stddev":4660.8,"var":21723254.0,"ent":2.6,"data": [74,54,54,236,54,1422,54,2177,54,188,54,288,54,203,54,590,54,77,54,1422,54,12366,54,5526,54,21942,54,11359,54,54,54,54]},"bins": {"c_to_s": [12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01606{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":330,"avg":191882.9,"max":1449192,"stddev":279549.5,"var":78147936256.0,"ent":3.8,"data": [2413,2787,291811,292494,279839,332432,52742,50748,425063,475681,259886,310653,731,51371,620,734,450,330,293909,545953,252820,1543,20204,21185,56923,56823,156171,205918,52727,4217,1449192,0]},"pktlen": {"min":54,"avg":1394.3,"max":11186,"stddev":2994.0,"var":8963944.0,"ent":3.0,"data": [74,54,54,236,54,1066,54,2533,54,188,54,288,54,590,54,403,54,91,54,10174,54,8150,54,1066,54,11186,54,1066,54,6590,54,54]},"bins": {"c_to_s": [12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0]}}
+01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":170355.3,"max":415925,"stddev":135089.4,"var":18249146368.0,"ent":4.4,"data": [1325,1585,226918,227495,336533,387205,51299,1169,297221,297772,252519,309444,358705,415925,755,475,490,567,254342,305451,51846,52474,211304,161331,247956,249119,81326,79510,208662,209727,563]},"pktlen": {"min":54,"avg":1838.8,"max":21942,"stddev":4660.8,"var":21723254.0,"ent":2.6,"data": [74,54,54,236,54,1422,54,2177,54,188,54,288,54,203,54,590,54,77,54,1422,54,12366,54,5526,54,21942,54,11359,54,54,54,54]},"bins": {"c_to_s": [12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01604{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":330,"avg":191882.9,"max":1449192,"stddev":279549.5,"var":78147936256.0,"ent":3.8,"data": [2413,2787,291811,292494,279839,332432,52742,50748,425063,475681,259886,310653,731,51371,620,734,450,330,293909,545953,252820,1543,20204,21185,56923,56823,156171,205918,52727,4217,1449192]},"pktlen": {"min":54,"avg":1394.3,"max":11186,"stddev":2994.0,"var":8963944.0,"ent":3.0,"data": [74,54,54,236,54,1066,54,2533,54,188,54,288,54,590,54,403,54,91,54,10174,54,8150,54,1066,54,11186,54,1066,54,6590,54,54]},"bins": {"c_to_s": [12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0]}}
 01461{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}}
-01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":413,"avg":1026369.1,"max":5890947,"stddev":1778823.2,"var":3164212035584.0,"ent":3.4,"data": [9060,9459,461199,462055,319157,370793,51463,554,58722,59273,267346,318521,5838678,5890947,1921,3057,232692,285896,1892628,1892382,50926,52168,293028,345106,632,413,1258587,1309974,5014758,5014527,51517,0]},"pktlen": {"min":54,"avg":366.1,"max":3660,"stddev":731.9,"var":535720.0,"ent":3.5,"data": [74,54,54,236,54,1066,54,2189,54,380,54,288,54,235,54,555,54,107,54,1066,54,3660,54,203,54,315,54,331,54,91,54,54]},"bins": {"c_to_s": [10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":413,"avg":1026369.1,"max":5890947,"stddev":1778823.2,"var":3164212035584.0,"ent":3.4,"data": [9060,9459,461199,462055,319157,370793,51463,554,58722,59273,267346,318521,5838678,5890947,1921,3057,232692,285896,1892628,1892382,50926,52168,293028,345106,632,413,1258587,1309974,5014758,5014527,51517]},"pktlen": {"min":54,"avg":366.1,"max":3660,"stddev":731.9,"var":535720.0,"ent":3.5,"data": [74,54,54,236,54,1066,54,2189,54,380,54,288,54,235,54,555,54,107,54,1066,54,3660,54,203,54,315,54,331,54,91,54,54]},"bins": {"c_to_s": [10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1435587894241434,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587894241434,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1435587894241434,"pkt":"ABoRAAACABoRAAABCABFAAA87+5AAEAGZNsKCAABLjOtto0mAbvDfJnqAAAAAKAC\/\/\/\/twAAAgQFtAQCCAoACHYEAAAAAAEDAwg="}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":533,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894244164,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587894244164,"pkt":"ABoRAAACABoRAAABCABFAAAodXFAABAGD20uM622CggAAQG7jSY8g2YVw3yZ61AS\/\/86\/gAA"}
@@ -242,10 +242,10 @@
 ~~ total active/idle flows...: 33/33
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6397502 bytes
-~~ total memory freed........: 6397502 bytes
+~~ total memory allocated....: 6397370 bytes
+~~ total memory freed........: 6397370 bytes
 ~~ total allocations/frees...: 122551/122551
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 489 chars
-~~ json string max len.......: 1997 chars
-~~ json string avg len.......: 1243 chars
+~~ json string max len.......: 1995 chars
+~~ json string avg len.......: 1242 chars
diff --git a/test/results/webex.pcap.out b/test/results/webex.pcap.out
index 4aae45723..9073c8845 100644
--- a/test/results/webex.pcap.out
+++ b/test/results/webex.pcap.out
@@ -6,7 +6,7 @@
 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1444570624860575,"flow_dst_last_pkt_time":1444570624860347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570624860575,"pkt":"ABoRAAACABoRAAABCABFAAAoOXRAAEAGTagKCAABQERpZ6GCAbtPGIcNsOd49FAQOQgf2QAA"}
 01161{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570624860735,"flow_dst_last_pkt_time":1444570624860347,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570624860735,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01518{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570625418062,"flow_dst_last_pkt_time":1444570625424499,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570625424499,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}}
-01579{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":160,"avg":112724.9,"max":557327,"stddev":156273.3,"var":24421341184.0,"ent":3.7,"data": [6506,6734,160,592,505708,557327,57852,60147,905,55625,257454,309311,10052,61432,845,730,299224,351252,55954,56159,800,52876,398,2835,268644,322298,52259,51930,18450,69467,546,0]},"pktlen": {"min":54,"avg":401.9,"max":2774,"stddev":588.9,"var":346810.6,"ent":3.9,"data": [74,54,54,249,54,2774,54,1273,54,364,54,97,54,590,54,138,54,1414,54,823,54,590,54,328,54,1414,54,762,54,590,54,518]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0]}}
+01577{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":160,"avg":112724.9,"max":557327,"stddev":156273.3,"var":24421341184.0,"ent":3.7,"data": [6506,6734,160,592,505708,557327,57852,60147,905,55625,257454,309311,10052,61432,845,730,299224,351252,55954,56159,800,52876,398,2835,268644,322298,52259,51930,18450,69467,546]},"pktlen": {"min":54,"avg":401.9,"max":2774,"stddev":588.9,"var":346810.6,"ent":3.9,"data": [74,54,54,249,54,2774,54,1273,54,364,54,97,54,590,54,138,54,1414,54,823,54,590,54,328,54,1414,54,762,54,590,54,518]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0]}}
 01522{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}}
 00747{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570627404164,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570627404164,"pkt":"ABoRAAACABoRAAABCABFAAA8hnNAAEAGAJUKCAABQERpZ6GEAbuwMDkNAAAAAKACOQgO\/QAAAgQFtAQCCAoATL9+AAAAAAEDAwY="}
@@ -26,7 +26,7 @@
 01162{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":89,"source":"webex.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570628117770,"flow_src_last_pkt_time":1444570628122668,"flow_dst_last_pkt_time":1444570628121468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570628122668,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41351,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01206{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"webex.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570628113579,"flow_src_last_pkt_time":1444570628121998,"flow_dst_last_pkt_time":1444570628514304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1444570628514304,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41350,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}}
 01208{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"webex.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570628117770,"flow_src_last_pkt_time":1444570628122668,"flow_dst_last_pkt_time":1444570628565912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":129,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":129,"midstream":0,"thread_ts_usec":1444570628565912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41351,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}}
-01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":129,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570629212279,"flow_dst_last_pkt_time":1444570629155254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":17966,"flow_src_tot_l4_payload_len":2270,"flow_dst_tot_l4_payload_len":46819,"midstream":0,"thread_ts_usec":1444570629212279,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":114813.1,"max":455330,"stddev":125812.7,"var":15828844544.0,"ent":4.1,"data": [5615,6788,156,1539,404661,455330,597,51300,245810,245870,436,307,223296,274841,51601,360,302,283113,286107,84087,131768,50921,51207,56841,56675,181041,181034,56067,58557,54529,58449,0]},"pktlen": {"min":54,"avg":1588.7,"max":18020,"stddev":3700.1,"var":13691056.0,"ent":2.9,"data": [74,54,54,281,54,183,54,97,54,590,54,533,54,1658,590,54,503,54,6854,54,1414,54,9477,54,1414,54,1414,54,18020,54,6871,54]},"bins": {"c_to_s": [10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":129,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570629212279,"flow_dst_last_pkt_time":1444570629155254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":17966,"flow_src_tot_l4_payload_len":2270,"flow_dst_tot_l4_payload_len":46819,"midstream":0,"thread_ts_usec":1444570629212279,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":114813.1,"max":455330,"stddev":125812.7,"var":15828844544.0,"ent":4.1,"data": [5615,6788,156,1539,404661,455330,597,51300,245810,245870,436,307,223296,274841,51601,360,302,283113,286107,84087,131768,50921,51207,56841,56675,181041,181034,56067,58557,54529,58449]},"pktlen": {"min":54,"avg":1588.7,"max":18020,"stddev":3700.1,"var":13691056.0,"ent":2.9,"data": [74,54,54,281,54,183,54,97,54,590,54,533,54,1658,590,54,503,54,6854,54,1414,54,9477,54,1414,54,1414,54,18020,54,6871,54]},"bins": {"c_to_s": [10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":167,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570630272557,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272557,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1444570630272557,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"185.63.147.10","src_port":54651,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272557,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1444570630272557,"pkt":"ABoRAAACABoRAAABCABFAAA0ymtAAEAGS1oKhc4vuT+TCtV7Abs2TX647AAfvYARAZp5QwAAAQEICgBMwJ1XHSbf"}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":168,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272755,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570630272755,"pkt":"ABoRAAACABoRAAABCABFAAAoAWBAABAGRHK5P5MKCoXOLwG71XvsAB+9Nk1+uVAQ\/\/\/y2gAA"}
@@ -53,7 +53,7 @@
 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1444570633360483,"flow_dst_last_pkt_time":1444570633360351,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570633360483,"pkt":"ABoRAAACABoRAAABCABFAAAo7DFAAEAGmuoKCAABQERpZ6GOAbtaKC3jpdfSHlAQOQgfzQAA"}
 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":221,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570633362374,"flow_dst_last_pkt_time":1444570633360351,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570633362374,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01602{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570633810470,"flow_dst_last_pkt_time":1444570633811592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":2579,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570633811592,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}}
-01987{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570635772189,"flow_dst_last_pkt_time":1444570635721813,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":8847,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":33212,"midstream":0,"thread_ts_usec":1444570635772189,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":154174.4,"max":1031495,"stddev":247176.8,"var":61096366080.0,"ent":3.8,"data": [3053,3185,1891,2192,397016,448096,52033,52145,383,52378,209850,261823,51847,1288,975,979869,1031495,52580,53500,94069,93832,53071,53864,119063,117547,148351,147839,51431,51376,96737,96627,0]},"pktlen": {"min":54,"avg":1122.5,"max":8901,"stddev":2294.9,"var":5266404.0,"ent":3.2,"data": [74,54,54,117,54,1414,54,2633,54,380,54,113,590,54,88,54,1414,54,8171,54,1414,54,8901,54,187,54,1414,54,6731,54,1414,54]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01985{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570635772189,"flow_dst_last_pkt_time":1444570635721813,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":8847,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":33212,"midstream":0,"thread_ts_usec":1444570635772189,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":154174.4,"max":1031495,"stddev":247176.8,"var":61096366080.0,"ent":3.8,"data": [3053,3185,1891,2192,397016,448096,52033,52145,383,52378,209850,261823,51847,1288,975,979869,1031495,52580,53500,94069,93832,53071,53864,119063,117547,148351,147839,51431,51376,96737,96627]},"pktlen": {"min":54,"avg":1122.5,"max":8901,"stddev":2294.9,"var":5266404.0,"ent":3.2,"data": [74,54,54,117,54,1414,54,2633,54,380,54,113,590,54,88,54,1414,54,8171,54,1414,54,8901,54,187,54,1414,54,6731,54,1414,54]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570636151328,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636151328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570636151328,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.213.212","src_port":41726,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636151328,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570636151328,"pkt":"ABoRAAACABoRAAABCABFAAA8tbVAAEAGMwwKCAABch3V1KL+AbsYGndcAAAAAKACOQjFmAAAAgQFtAQCCAoATMLpAAAAAAEDAwY="}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636154295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570636154295,"pkt":"ABoRAAACABoRAAABCABFAAAoAY1AABAGF0lyHdXUCggAAQG7ov7n5YijGBp3XVAS\/\/+5HQAA"}
@@ -222,9 +222,9 @@
 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":663,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1444570674487975,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570674499448,"pkt":"ABoRAAACABoRAAABCABFAAAoAklAABAGsB2t8wBuCggAAQG72XFdISYDot7Z\/VAS\/\/8cOwAA"}
 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":664,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1444570674500159,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570674500159,"pkt":"ABoRAAACABoRAAABCABFAAAoCB9AAEAGekcKCAABrfMAbtlxAbui3tn9XSEmBFAQOQjjMwAA"}
 01141{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":665,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570674487975,"flow_src_last_pkt_time":1444570674600509,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570674600509,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
-01997{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":670,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669745822,"flow_src_last_pkt_time":1444570675008962,"flow_dst_last_pkt_time":1444570675008306,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":10527,"flow_src_tot_l4_payload_len":863,"flow_dst_tot_l4_payload_len":17665,"midstream":0,"thread_ts_usec":1444570675008962,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":339536.2,"max":2214636,"stddev":547768.4,"var":300050219008.0,"ent":3.7,"data": [14198,16626,142,3176,966820,968167,50625,52096,160025,217339,56893,151808,203416,506402,456173,506119,506174,257962,307348,51007,1799,210726,261737,55501,54303,51893,51311,2214636,2165090,3222,2890,0]},"pktlen": {"min":54,"avg":633.6,"max":10581,"stddev":1915.7,"var":3669828.5,"ent":2.6,"data": [74,54,54,117,54,3961,54,380,54,113,528,54,272,54,1024,54,10581,54,171,54,288,54,123,54,219,54,399,54,560,54,602,54]},"bins": {"c_to_s": [13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":670,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669745822,"flow_src_last_pkt_time":1444570675008962,"flow_dst_last_pkt_time":1444570675008306,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":10527,"flow_src_tot_l4_payload_len":863,"flow_dst_tot_l4_payload_len":17665,"midstream":0,"thread_ts_usec":1444570675008962,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":339536.2,"max":2214636,"stddev":547768.4,"var":300050219008.0,"ent":3.7,"data": [14198,16626,142,3176,966820,968167,50625,52096,160025,217339,56893,151808,203416,506402,456173,506119,506174,257962,307348,51007,1799,210726,261737,55501,54303,51893,51311,2214636,2165090,3222,2890]},"pktlen": {"min":54,"avg":633.6,"max":10581,"stddev":1915.7,"var":3669828.5,"ent":2.6,"data": [74,54,54,117,54,3961,54,380,54,113,528,54,272,54,1024,54,10581,54,171,54,288,54,123,54,219,54,399,54,560,54,602,54]},"bins": {"c_to_s": [13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 01605{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":671,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570674487975,"flow_src_last_pkt_time":1444570674600509,"flow_dst_last_pkt_time":1444570675110598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":3907,"midstream":0,"thread_ts_usec":1444570675110598,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}}
-01971{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":675,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669736143,"flow_src_last_pkt_time":1444570675113022,"flow_dst_last_pkt_time":1444570675113218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":4673,"flow_dst_tot_l4_payload_len":3966,"midstream":0,"thread_ts_usec":1444570675113218,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":309,"avg":346901.8,"max":2270107,"stddev":598058.5,"var":357673959424.0,"ent":3.3,"data": [9053,24144,367,16512,915259,917382,50710,52699,154574,206585,52440,7882,9392,3319,2120,963298,961965,473,411,393,309,561975,562100,368561,368512,670,601,2270083,2270107,1037,1021,0]},"pktlen": {"min":54,"avg":324.6,"max":3961,"stddev":685.4,"var":469733.5,"ent":3.6,"data": [74,54,54,117,54,3961,54,380,54,113,560,54,590,54,136,54,590,54,590,54,400,54,400,54,590,54,168,54,590,54,264,54]},"bins": {"c_to_s": [3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01969{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":675,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669736143,"flow_src_last_pkt_time":1444570675113022,"flow_dst_last_pkt_time":1444570675113218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":4673,"flow_dst_tot_l4_payload_len":3966,"midstream":0,"thread_ts_usec":1444570675113218,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":309,"avg":346901.8,"max":2270107,"stddev":598058.5,"var":357673959424.0,"ent":3.3,"data": [9053,24144,367,16512,915259,917382,50710,52699,154574,206585,52440,7882,9392,3319,2120,963298,961965,473,411,393,309,561975,562100,368561,368512,670,601,2270083,2270107,1037,1021]},"pktlen": {"min":54,"avg":324.6,"max":3961,"stddev":685.4,"var":469733.5,"ent":3.6,"data": [74,54,54,117,54,3961,54,380,54,113,560,54,590,54,136,54,590,54,590,54,400,54,400,54,590,54,168,54,590,54,264,54]},"bins": {"c_to_s": [3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570675941714,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675941714,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570675941714,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51833,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675941714,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570675941714,"pkt":"ABoRAAACABoRAAABCABFAAA8SaRAAEAGwwMKCAABPm3lnsp5AbteGJvVAAAAAKACOQhIBAAAAgQFtAQCCAoATNJxAAAAAAEDAwY="}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":737,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675945842,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570675945842,"pkt":"ABoRAAACABoRAAABCABFAAAoAm5AABAGOk4+beWeCggAAQG7ynmh52QqXhib1lAS\/\/+1iAAA"}
@@ -310,7 +310,7 @@
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1491,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1444570719041198,"flow_dst_last_pkt_time":1444570719041198,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570719041198,"pkt":"ABoRAAACABoRAAABCABFAAA8mB5AAEAGdIkKCAABPm3lnsqTAbu3\/XtaAAAAAKACOQj9rAAAAgQFtAQCCAoATONEAAAAAAEDAwY="}
 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1444570719041198,"flow_dst_last_pkt_time":1444570719047347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570719047347,"pkt":"ABoRAAACABoRAAABCABFAAAoA+JAABAGONo+beWeCggAAQG7ypNIAoSlt\/17W1AS\/\/+1bgAA"}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1494,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":3,"flow_src_last_pkt_time":1444570720045734,"flow_dst_last_pkt_time":1444570719047347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570720045734,"pkt":"ABoRAAACABoRAAABCABFAAAoAABAAEAGDLwKCAABPm3lnsqTAbu3\/XtbAAAAAFAEAACCJAAA"}
-01979{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1495,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570716599098,"flow_src_last_pkt_time":1444570719040525,"flow_dst_last_pkt_time":1444570720047703,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":378,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":1559,"flow_dst_tot_l4_payload_len":4630,"midstream":0,"thread_ts_usec":1444570720047703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":213,"avg":190001.0,"max":1366658,"stddev":352312.5,"var":124124102656.0,"ent":3.4,"data": [4232,4962,6442,7614,1312624,1366658,17526,71444,145665,198977,339,53733,129549,180935,213,51454,121214,172258,51492,51164,125484,176177,50764,50844,546,1023,264310,263832,849,855,1006853,0]},"pktlen": {"min":54,"avg":248.0,"max":3961,"stddev":677.2,"var":458632.1,"ent":3.2,"data": [74,54,54,241,54,3961,54,380,54,113,54,128,54,91,54,432,54,123,54,543,54,144,54,208,54,176,54,176,54,160,54,123]},"bins": {"c_to_s": [7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01977{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1495,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570716599098,"flow_src_last_pkt_time":1444570719040525,"flow_dst_last_pkt_time":1444570720047703,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":378,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":1559,"flow_dst_tot_l4_payload_len":4630,"midstream":0,"thread_ts_usec":1444570720047703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":213,"avg":190001.0,"max":1366658,"stddev":352312.5,"var":124124102656.0,"ent":3.4,"data": [4232,4962,6442,7614,1312624,1366658,17526,71444,145665,198977,339,53733,129549,180935,213,51454,121214,172258,51492,51164,125484,176177,50764,50844,546,1023,264310,263832,849,855,1006853]},"pktlen": {"min":54,"avg":248.0,"max":3961,"stddev":677.2,"var":458632.1,"ent":3.2,"data": [74,54,54,241,54,3961,54,380,54,113,54,128,54,91,54,432,54,123,54,543,54,144,54,208,54,176,54,176,54,160,54,123]},"bins": {"c_to_s": [7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1527,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570732086555,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732086555,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570732086555,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1527,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732086555,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570732086555,"pkt":"ABoRAAACABoRAAABCABFAAA8h\/tAAEAGidIKCAABPm3geMf2AbvHvWEvAAAAAKACOQgMSwAAAgQFtAQCCAoATObUAAAAAAEDAwY="}
 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1528,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732090067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570732090067,"pkt":"ABoRAAACABoRAAABCABFAAAoA+tAABAGPfc+beB4CggAAQG7x\/Y4Qp7Qx71hMFAS\/\/+9MQAA"}
@@ -398,8 +398,8 @@
 ~~ total active/idle flows...: 57/57
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6550417 bytes
-~~ total memory freed........: 6550417 bytes
+~~ total memory allocated....: 6550189 bytes
+~~ total memory freed........: 6550189 bytes
 ~~ total allocations/frees...: 123966/123966
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/websocket.pcap.out b/test/results/websocket.pcap.out
index 2c82ce4c3..6163c258d 100644
--- a/test/results/websocket.pcap.out
+++ b/test/results/websocket.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037838 bytes
-~~ total memory freed........: 6037838 bytes
+~~ total memory allocated....: 6037834 bytes
+~~ total memory freed........: 6037834 bytes
 ~~ total allocations/frees...: 121493/121493
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
diff --git a/test/results/wechat.pcap.out b/test/results/wechat.pcap.out
index 3249b338f..8c76ba9ad 100644
--- a/test/results/wechat.pcap.out
+++ b/test/results/wechat.pcap.out
@@ -87,7 +87,7 @@
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_src_last_pkt_time":1492167355723894,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167356077508,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG700uz8YPYbAqDH6ASN8iq2QAAAgQFoAQCCApFrUFyADC8mAEDAwc="}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_src_last_pkt_time":1492167356077551,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167356077551,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0P4dAAEAG1b3AqAFny82XotNLAbtsCoMfs\/GD2YAQAOUQHAAAAQEICgAwvPFFrUFy"}
 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":133,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356077750,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167356077750,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
-01753{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":141,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353687624,"flow_src_last_pkt_time":1492167356095248,"flow_dst_last_pkt_time":1492167356095234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":5826,"flow_src_tot_l4_payload_len":4717,"flow_dst_tot_l4_payload_len":16498,"midstream":0,"thread_ts_usec":1492167356095248,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":287,"avg":155330.1,"max":410564,"stddev":180667.8,"var":32640860160.0,"ent":3.8,"data": [361610,361650,376,378130,3564,381307,56857,56856,287,287,2657,376606,375028,3327,373835,38287,2818,410564,21157,3298,393374,30885,401110,383706,785,383140,2859,2894,5754,1113,1113,0]},"pktlen": {"min":66,"avg":729.5,"max":5892,"stddev":1101.2,"var":1212669.5,"ent":3.9,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,233,66,1239,443,66,264,1154,1494,1494,66,1494,1494,66,5892,66]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":141,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353687624,"flow_src_last_pkt_time":1492167356095248,"flow_dst_last_pkt_time":1492167356095234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":5826,"flow_src_tot_l4_payload_len":4717,"flow_dst_tot_l4_payload_len":16498,"midstream":0,"thread_ts_usec":1492167356095248,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":287,"avg":155330.1,"max":410564,"stddev":180667.8,"var":32640860160.0,"ent":3.8,"data": [361610,361650,376,378130,3564,381307,56857,56856,287,287,2657,376606,375028,3327,373835,38287,2818,410564,21157,3298,393374,30885,401110,383706,785,383140,2859,2894,5754,1113,1113]},"pktlen": {"min":66,"avg":729.5,"max":5892,"stddev":1101.2,"var":1212669.5,"ent":3.9,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,233,66,1239,443,66,264,1154,1494,1494,66,1494,1494,66,5892,66]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":151,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356077750,"flow_dst_last_pkt_time":1492167356488969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167356488969,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":153,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356489000,"flow_dst_last_pkt_time":1492167356489253,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167356489253,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1492167345896252,"flow_dst_last_pkt_time":1492167360622900,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":121,"pkt_l4_len":87,"thread_ts_usec":1492167360622900,"pkt":"eJKcD6iO8IQvSpdgCABFoABrfSgAADcGnizYOs1OwKgBZwG7ugsgLP3V+HJvr4AYAV2wggAAAQEICvap78EAL9cAFwMDADI7\/WDixcApjMc4oo49oFJiwuyoshtW5rSqz9ahoHcSOkzcmjO3CkNO6pgK6XLAf2uLNg=="}
@@ -132,9 +132,9 @@
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167382020263,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382020263,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167382020263,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.211","src_port":40740,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382020263,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1492167382020263,"pkt":"8IQvSpdgeJKcD6iOCABFAAAokulAAEAGgjbAqAFny82X058kAbutvz98aYB+jlAQAdESKQAA"}
 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":304,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382374842,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1492167382374842,"pkt":"eJKcD6iO8IQvSpdgCABFoAAoL8xAAC4G9rPLzZfTwKgBZwG7nyRpgH6Orb8\/fVAQAIMTdgAAAADZK2u8"}
-01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378674770,"flow_src_last_pkt_time":1492167386718697,"flow_dst_last_pkt_time":1492167385566065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8227,"flow_dst_tot_l4_payload_len":6835,"midstream":0,"thread_ts_usec":1492167386718697,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":435,"avg":481781.3,"max":4544256,"stddev":1044110.9,"var":1090167570432.0,"ent":3.2,"data": [359228,359315,435,360585,1948,362066,491,468,3580,359717,357128,3318,369214,32832,2766,400529,15038,3260,381959,38044,403106,2395,369120,36996,438834,4139732,3287,4544256,34139,398836,1152600,0]},"pktlen": {"min":66,"avg":537.2,"max":1754,"stddev":556.0,"var":309130.7,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,235,66,1239,443,66,264,1306,541,66,1002,66,1306,541,66,1003,66,1234]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
-01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":335,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378926091,"flow_src_last_pkt_time":1492167387133549,"flow_dst_last_pkt_time":1492167385164247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":8225,"flow_src_tot_l4_payload_len":6431,"flow_dst_tot_l4_payload_len":15757,"midstream":0,"thread_ts_usec":1492167387133549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":438,"avg":465987.6,"max":3383945,"stddev":827194.4,"var":684250497024.0,"ent":3.4,"data": [353750,353837,953113,1178147,225005,127739,4445,132165,453,438,626,638,1531,362180,361114,370977,4561,375090,3297,3310,3017858,3341,3383945,31235,408978,7414,382158,34643,434308,1925965,3353,0]},"pktlen": {"min":66,"avg":760.1,"max":8291,"stddev":1463.3,"var":2141136.5,"ent":3.6,"data": [74,74,66,304,74,66,66,1494,66,1494,66,326,66,192,117,1153,1494,1494,66,8291,66,1306,541,66,1377,1239,443,66,264,66,1306,541]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
-01780{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353674975,"flow_src_last_pkt_time":1492167387855952,"flow_dst_last_pkt_time":1492167387536614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":198,"flow_dst_max_l4_payload_len":1188,"flow_src_tot_l4_payload_len":1584,"flow_dst_tot_l4_payload_len":9504,"midstream":1,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":2194923.0,"max":11774429,"stddev":3337575.2,"var":11139408723968.0,"ent":3.8,"data": [67,1713342,2033838,5903,326356,805535,1165376,11414547,11774429,393649,716591,9325022,9647966,1906296,2225757,6412,325847,425651,784494,2983400,3342263,487827,806732,9168,328050,421461,782117,1181667,1542348,420552,739953,0]},"pktlen": {"min":66,"avg":412.5,"max":1254,"stddev":492.5,"var":242574.8,"ent":4.1,"data": [264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66]},"bins": {"c_to_s": [8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378674770,"flow_src_last_pkt_time":1492167386718697,"flow_dst_last_pkt_time":1492167385566065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8227,"flow_dst_tot_l4_payload_len":6835,"midstream":0,"thread_ts_usec":1492167386718697,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":435,"avg":481781.3,"max":4544256,"stddev":1044110.9,"var":1090167570432.0,"ent":3.2,"data": [359228,359315,435,360585,1948,362066,491,468,3580,359717,357128,3318,369214,32832,2766,400529,15038,3260,381959,38044,403106,2395,369120,36996,438834,4139732,3287,4544256,34139,398836,1152600]},"pktlen": {"min":66,"avg":537.2,"max":1754,"stddev":556.0,"var":309130.7,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,235,66,1239,443,66,264,1306,541,66,1002,66,1306,541,66,1003,66,1234]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":335,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378926091,"flow_src_last_pkt_time":1492167387133549,"flow_dst_last_pkt_time":1492167385164247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":8225,"flow_src_tot_l4_payload_len":6431,"flow_dst_tot_l4_payload_len":15757,"midstream":0,"thread_ts_usec":1492167387133549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":438,"avg":465987.6,"max":3383945,"stddev":827194.4,"var":684250497024.0,"ent":3.4,"data": [353750,353837,953113,1178147,225005,127739,4445,132165,453,438,626,638,1531,362180,361114,370977,4561,375090,3297,3310,3017858,3341,3383945,31235,408978,7414,382158,34643,434308,1925965,3353]},"pktlen": {"min":66,"avg":760.1,"max":8291,"stddev":1463.3,"var":2141136.5,"ent":3.6,"data": [74,74,66,304,74,66,66,1494,66,1494,66,326,66,192,117,1153,1494,1494,66,8291,66,1306,541,66,1377,1239,443,66,264,66,1306,541]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353674975,"flow_src_last_pkt_time":1492167387855952,"flow_dst_last_pkt_time":1492167387536614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":198,"flow_dst_max_l4_payload_len":1188,"flow_src_tot_l4_payload_len":1584,"flow_dst_tot_l4_payload_len":9504,"midstream":1,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":2194923.0,"max":11774429,"stddev":3337575.2,"var":11139408723968.0,"ent":3.8,"data": [67,1713342,2033838,5903,326356,805535,1165376,11414547,11774429,393649,716591,9325022,9647966,1906296,2225757,6412,325847,425651,784494,2983400,3342263,487827,806732,9168,328050,421461,782117,1181667,1542348,420552,739953]},"pktlen": {"min":66,"avg":412.5,"max":1254,"stddev":492.5,"var":242574.8,"ent":4.1,"data": [264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66]},"bins": {"c_to_s": [8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00911{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":343,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167383949103,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167387855952,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00902{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":343,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167383949003,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"wechat.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1492167397120263,"flow_dst_last_pkt_time":1492167352122932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167397120263,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0ePJAAEAGFx3AqAFnQOmnvIyxFGy60MyoSq1b+oAQAO0gQAAAAQEICgAw5QaFnXDI"}
@@ -159,10 +159,10 @@
 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":382,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402310146,"flow_dst_last_pkt_time":1492167401410519,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167402310146,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":389,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402503381,"flow_dst_last_pkt_time":1492167402665578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167402665578,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":391,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402665635,"flow_dst_last_pkt_time":1492167402666132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167402666132,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
-01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167418885540,"flow_dst_last_pkt_time":1492167414163142,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8690,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167418885540,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":652,"avg":1013658.8,"max":6862195,"stddev":1947754.9,"var":3793749016576.0,"ent":3.1,"data": [362688,362730,698,359771,652,359747,1773,1754,3156,359980,358071,7205,373852,64622,431388,4503,369570,39986,442333,4042219,3253,4448907,74384,439211,6493521,3286,6862195,32133,397513,4719084,3239,0]},"pktlen": {"min":66,"avg":510.0,"max":1754,"stddev":523.8,"var":274414.8,"ent":4.3,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1234,535,66,297,1306,541,66,1002,66,1234,525,66,297,66,1306,541,66,1003,66,1234,530]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
-01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":454,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167421570947,"flow_dst_last_pkt_time":1492167421929069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":7047,"flow_dst_tot_l4_payload_len":5272,"midstream":0,"thread_ts_usec":1492167421929069,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":539,"avg":1334601.0,"max":6095000,"stddev":2041764.4,"var":4168801845248.0,"ent":3.5,"data": [346826,346918,899535,1092804,193235,160456,1799,162254,554,539,2941,351941,387151,4178860,3305,4577735,29191,386626,5733723,3651,6095000,83021,440653,5485473,3274,5845918,30151,387318,1889056,2742,2249980,0]},"pktlen": {"min":66,"avg":451.7,"max":1754,"stddev":521.0,"var":271486.5,"ent":4.1,"data": [74,74,66,304,74,66,66,1494,66,1754,66,192,117,66,1306,541,66,1003,66,1234,522,66,297,66,1306,541,66,1003,66,1234,527,66]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167418885540,"flow_dst_last_pkt_time":1492167414163142,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8690,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167418885540,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":652,"avg":1013658.8,"max":6862195,"stddev":1947754.9,"var":3793749016576.0,"ent":3.1,"data": [362688,362730,698,359771,652,359747,1773,1754,3156,359980,358071,7205,373852,64622,431388,4503,369570,39986,442333,4042219,3253,4448907,74384,439211,6493521,3286,6862195,32133,397513,4719084,3239]},"pktlen": {"min":66,"avg":510.0,"max":1754,"stddev":523.8,"var":274414.8,"ent":4.3,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1234,535,66,297,1306,541,66,1002,66,1234,525,66,297,66,1306,541,66,1003,66,1234,530]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":454,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167421570947,"flow_dst_last_pkt_time":1492167421929069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":7047,"flow_dst_tot_l4_payload_len":5272,"midstream":0,"thread_ts_usec":1492167421929069,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":539,"avg":1334601.0,"max":6095000,"stddev":2041764.4,"var":4168801845248.0,"ent":3.5,"data": [346826,346918,899535,1092804,193235,160456,1799,162254,554,539,2941,351941,387151,4178860,3305,4577735,29191,386626,5733723,3651,6095000,83021,440653,5485473,3274,5845918,30151,387318,1889056,2742,2249980]},"pktlen": {"min":66,"avg":451.7,"max":1754,"stddev":521.0,"var":271486.5,"ent":4.1,"data": [74,74,66,304,74,66,66,1494,66,1754,66,192,117,66,1306,541,66,1003,66,1234,522,66,297,66,1306,541,66,1003,66,1234,527,66]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":466,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1492167422952271,"flow_dst_last_pkt_time":1492167377936495,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167422952271,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0KNBAAEAGqhvAqAFn2DrNjsJ7AbvMOVSD1yvysIAQAT2SvQAAAQEICgAw\/kAycps2"}
-01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":473,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167342893680,"flow_src_last_pkt_time":1492167433192261,"flow_dst_last_pkt_time":1492167433240018,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":829,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1283,"flow_dst_tot_l4_payload_len":5138,"midstream":0,"thread_ts_usec":1492167433240018,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":5827255.0,"max":45056034,"stddev":15096891.0,"var":227916113772544.0,"ent":2.0,"data": [48172,48219,208,52487,725,52995,2368,2380,502,490,4525,7884,13634,51249,2766,53,28029,293,26129,2791,10149,38903,378,801,249,45379,2766,45043937,45047542,45056034,45052882,0]},"pktlen": {"min":66,"avg":267.2,"max":1484,"stddev":422.2,"var":178253.9,"ent":3.9,"data": [74,74,66,288,66,1484,66,1484,66,1442,66,151,111,895,336,114,100,66,96,66,96,572,66,104,104,100,66,66,66,66,66,66]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
+01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":473,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167342893680,"flow_src_last_pkt_time":1492167433192261,"flow_dst_last_pkt_time":1492167433240018,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":829,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1283,"flow_dst_tot_l4_payload_len":5138,"midstream":0,"thread_ts_usec":1492167433240018,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":5827255.0,"max":45056034,"stddev":15096891.0,"var":227916113772544.0,"ent":2.0,"data": [48172,48219,208,52487,725,52995,2368,2380,502,490,4525,7884,13634,51249,2766,53,28029,293,26129,2791,10149,38903,378,801,249,45379,2766,45043937,45047542,45056034,45052882]},"pktlen": {"min":66,"avg":267.2,"max":1484,"stddev":422.2,"var":178253.9,"ent":3.9,"data": [74,74,66,288,66,1484,66,1484,66,1442,66,151,111,895,336,114,100,66,96,66,96,572,66,104,104,100,66,66,66,66,66,66]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00717{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167440370306,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167440370306,"l3_proto":"ip4","src_ip":"192.168.1.254","dst_ip":"224.0.0.1","l4_proto":2,"flow_datalink":1,"flow_max_packets":3}
 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":50,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":50,"pkt_l4_len":12,"thread_ts_usec":1492167440370306,"pkt":"AQBeAAAB8IQvSpdgCABGoAAkj9gAAAEC8bPAqAH+4AAAAZQEAAARZOybAAAAAAIAAAA="}
 00823{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167440370306,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167440370306,"l3_proto":"ip4","src_ip":"192.168.1.254","dst_ip":"224.0.0.1","l4_proto":2,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -217,15 +217,15 @@
 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":569,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167455501611,"flow_dst_last_pkt_time":1492167455502415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167455502415,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455528205,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167455528205,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455528205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167455528205,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8kudAAEAGglXAqAFny82XotNYAbvneYz3AAAAAKACchBIqgAAAgQFtAQCCAoAMR4QAAAAAAEDAwc="}
-01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":587,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167452759446,"flow_src_last_pkt_time":1492167455588916,"flow_dst_last_pkt_time":1492167455588897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":10981,"midstream":0,"thread_ts_usec":1492167455588916,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":470,"avg":182545.8,"max":469392,"stddev":189984.8,"var":36094242816.0,"ent":4.0,"data": [366115,366204,470,368626,765,368875,8160,8175,3097,367881,365600,3239,378746,92724,1992,469392,27762,1703,407097,30016,408635,3752,397818,10943,404654,396022,789,396156,518,1239,1756,0]},"pktlen": {"min":66,"avg":605.5,"max":1754,"stddev":612.0,"var":374517.1,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,344,66,1239,443,66,264,1239,443,66,264,1154,1494,1494,66,1494,1494,66]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01753{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":587,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167452759446,"flow_src_last_pkt_time":1492167455588916,"flow_dst_last_pkt_time":1492167455588897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":10981,"midstream":0,"thread_ts_usec":1492167455588916,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":470,"avg":182545.8,"max":469392,"stddev":189984.8,"var":36094242816.0,"ent":4.0,"data": [366115,366204,470,368626,765,368875,8160,8175,3097,367881,365600,3239,378746,92724,1992,469392,27762,1703,407097,30016,408635,3752,397818,10943,404654,396022,789,396156,518,1239,1756]},"pktlen": {"min":66,"avg":605.5,"max":1754,"stddev":612.0,"var":374517.1,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,344,66,1239,443,66,264,1239,443,66,264,1154,1494,1494,66,1494,1494,66]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":613,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167455891345,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG701iyhnqT53mM+KASN8htQwAAAgQFoAQCCApFraLqADEeEAEDAwc="}
 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":614,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_src_last_pkt_time":1492167455891380,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167455891380,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0kuhAAEAGglzAqAFny82XotNYAbvneYz4soZ6lIAQAOXShAAAAQEICgAxHmpFraLq"}
 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":615,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167455891558,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":648,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167456251036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167456251036,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":650,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167456251067,"flow_dst_last_pkt_time":1492167456251627,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167456251627,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
-01601{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":485,"avg":129962.4,"max":646724,"stddev":181880.5,"var":33080510464.0,"ent":3.5,"data": [360844,360859,1106,320164,2049,321124,836,835,489,485,2516,331784,329811,339551,757,339771,547,4542,5088,2482,2487,1143,1132,271360,646724,757,376133,549,914,1456,539,0]},"pktlen": {"min":66,"avg":831.6,"max":3134,"stddev":861.6,"var":742326.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1154,1494,1494,66,1494,1494,66,2922,66,3134,66,1154,1494,1494,66,1494,1494,66,1494]},"bins": {"c_to_s": [11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1]}}
+01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":485,"avg":129962.4,"max":646724,"stddev":181880.5,"var":33080510464.0,"ent":3.5,"data": [360844,360859,1106,320164,2049,321124,836,835,489,485,2516,331784,329811,339551,757,339771,547,4542,5088,2482,2487,1143,1132,271360,646724,757,376133,549,914,1456,539]},"pktlen": {"min":66,"avg":831.6,"max":3134,"stddev":861.6,"var":742326.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1154,1494,1494,66,1494,1494,66,2922,66,3134,66,1154,1494,1494,66,1494,1494,66,1494]},"bins": {"c_to_s": [11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1]}}
 01648{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
-01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":212782.5,"max":951677,"stddev":233185.6,"var":54375542784.0,"ent":4.0,"data": [378875,378978,383,354036,2419,355982,2806,2818,1046,367448,367322,4404,365806,31144,394889,3196,367851,55930,2766,420112,17934,846,381296,34840,434328,543113,951677,371599,549,523,1340,0]},"pktlen": {"min":66,"avg":557.3,"max":1754,"stddev":599.1,"var":358890.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1239,443,66,264,1306,541,66,1494,230,66,1239,443,66,264,66,1154,1494,66,1494,66,1494]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":212782.5,"max":951677,"stddev":233185.6,"var":54375542784.0,"ent":4.0,"data": [378875,378978,383,354036,2419,355982,2806,2818,1046,367448,367322,4404,365806,31144,394889,3196,367851,55930,2766,420112,17934,846,381296,34840,434328,543113,951677,371599,549,523,1340]},"pktlen": {"min":66,"avg":557.3,"max":1754,"stddev":599.1,"var":358890.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1239,443,66,264,1306,541,66,1494,230,66,1239,443,66,264,66,1154,1494,66,1494,66,1494]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 00863{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00760{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00860{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1492167353687522,"flow_src_last_pkt_time":1492167354015579,"flow_dst_last_pkt_time":1492167354015537,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54085,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -306,7 +306,7 @@
 01042{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":943,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648583174,"flow_dst_last_pkt_time":1492167648582668,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167648583174,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":945,"source":"wechat.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1492167648494081,"flow_dst_last_pkt_time":1492167648873395,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167648873395,"pkt":"eJKcD6iO8IQvSpdgCABFoAA0AABAADEGHSXLzZ4iwKgBZwG7q0tO\/rLJEoYlf4ASOQgjJgAAAgQFtAEBBAIBAwMH"}
 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":946,"source":"wechat.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1492167648873492,"flow_dst_last_pkt_time":1492167648873395,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1492167648873492,"pkt":"8IQvSpdgeJKcD6iOCABFAAAoAABAAEAGDtHAqAFny82eIqtLAbsShiV\/Tv6yylAQAOWcGwAA"}
-01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":947,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167639887918,"flow_src_last_pkt_time":1492167648260043,"flow_dst_last_pkt_time":1492167648882009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7218,"midstream":0,"thread_ts_usec":1492167648882009,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":441,"avg":560200.5,"max":6615415,"stddev":1552002.6,"var":2408711979008.0,"ent":2.6,"data": [315233,315308,441,318358,1918,319817,471,453,1116,1109,2559,316619,315146,4640,327259,29671,2699,353912,21653,4624,349989,32226,392645,18020,3295,380639,36894,359501,6259002,6615415,265584,0]},"pktlen": {"min":66,"avg":492.2,"max":1494,"stddev":547.1,"var":299293.4,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,264,66,1306,541,66,1003,66,1127,66,1494]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":947,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167639887918,"flow_src_last_pkt_time":1492167648260043,"flow_dst_last_pkt_time":1492167648882009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7218,"midstream":0,"thread_ts_usec":1492167648882009,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":441,"avg":560200.5,"max":6615415,"stddev":1552002.6,"var":2408711979008.0,"ent":2.6,"data": [315233,315308,441,318358,1918,319817,471,453,1116,1109,2559,316619,315146,4640,327259,29671,2699,353912,21653,4624,349989,32226,392645,18020,3295,380639,36894,359501,6259002,6615415,265584]},"pktlen": {"min":66,"avg":492.2,"max":1494,"stddev":547.1,"var":299293.4,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,264,66,1306,541,66,1003,66,1127,66,1494]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 01214{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":968,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648583174,"flow_dst_last_pkt_time":1492167648902355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1492167648902355,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1"}}}
 01778{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":970,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648902391,"flow_dst_last_pkt_time":1492167648903691,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3430,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4890,"midstream":0,"thread_ts_usec":1492167648903691,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","server_names":"wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=wx.qq.com","alpn":"h2,http\/1.1","fingerprint":"67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9"}}}
 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167650311981,"flow_src_last_pkt_time":1492167650311981,"flow_dst_last_pkt_time":1492167650311981,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167650311981,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -344,9 +344,9 @@
 00901{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1090,"source":"wechat.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167648243043,"flow_src_last_pkt_time":1492167648243043,"flow_dst_last_pkt_time":1492167648277339,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":495,"flow_src_tot_l4_payload_len":31,"flow_dst_tot_l4_payload_len":495,"midstream":0,"thread_ts_usec":1492167697412244,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":19041,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.QQ","proto_id":"5.48","encrypted":0,"breed":"Fun","category_id":9,"category":"Chat"}}
 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1090,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167650311981,"flow_src_last_pkt_time":1492167650311981,"flow_dst_last_pkt_time":1492167650345975,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":192,"midstream":0,"thread_ts_usec":1492167697412244,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}}
 00922{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1090,"source":"wechat.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167650348036,"flow_src_last_pkt_time":1492167650446122,"flow_dst_last_pkt_time":1492167650467068,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":1825,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1492167697412244,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}}
-01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1102,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167695237173,"flow_src_last_pkt_time":1492167705300255,"flow_dst_last_pkt_time":1492167705261666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":7069,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167705300255,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":370,"avg":647986.3,"max":7806976,"stddev":1838759.0,"var":3381034745856.0,"ent":2.5,"data": [325248,325323,463,328002,697,328217,391,370,3942,3944,2661,325903,324620,3183,337595,77061,411866,3780,340251,28032,402656,7430680,3764,7806976,79928,412549,2872,372,340125,30342,405762,0]},"pktlen": {"min":66,"avg":459.3,"max":1494,"stddev":494.6,"var":244586.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1234,538,66,297,1306,541,66,1002,66,1234,533,66,297,66,1306,541,66,1003,66]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
-01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1112,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329924,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":304,"avg":12093665.0,"max":183800554,"stddev":33303494.0,"var":1109122757951488.0,"ent":2.6,"data": [304,1000351,2000370,14687423,324,1000207,2000433,21831590,431,1000458,2000811,26318928,434,1000298,2000470,41917186,377,1000169,2000682,183800554,363,1000944,2000954,33299722,386,1000653,2000531,29036990,312,1000238,2000730,0]},"pktlen": {"min":82,"avg":82.0,"max":82,"stddev":0.0,"var":0.0,"ent":5.0,"data": [82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01798{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1113,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329983,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":285,"avg":12093665.0,"max":183800433,"stddev":33303466.0,"var":1109120811794432.0,"ent":2.6,"data": [285,1000432,2000369,14687365,298,1000306,2000399,21831547,409,1000568,2000773,26318883,413,1000363,2000495,41917120,347,1000193,2000827,183800433,319,1000975,2001003,33299664,360,1000743,2000515,29036936,291,1000323,2000677,0]},"pktlen": {"min":102,"avg":102.0,"max":102,"stddev":0.0,"var":0.0,"ent":5.0,"data": [102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1102,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167695237173,"flow_src_last_pkt_time":1492167705300255,"flow_dst_last_pkt_time":1492167705261666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":7069,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167705300255,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":370,"avg":647986.3,"max":7806976,"stddev":1838759.0,"var":3381034745856.0,"ent":2.5,"data": [325248,325323,463,328002,697,328217,391,370,3942,3944,2661,325903,324620,3183,337595,77061,411866,3780,340251,28032,402656,7430680,3764,7806976,79928,412549,2872,372,340125,30342,405762]},"pktlen": {"min":66,"avg":459.3,"max":1494,"stddev":494.6,"var":244586.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1234,538,66,297,1306,541,66,1002,66,1234,533,66,297,66,1306,541,66,1003,66]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1112,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329924,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":304,"avg":12093665.0,"max":183800554,"stddev":33303494.0,"var":1109122757951488.0,"ent":2.6,"data": [304,1000351,2000370,14687423,324,1000207,2000433,21831590,431,1000458,2000811,26318928,434,1000298,2000470,41917186,377,1000169,2000682,183800554,363,1000944,2000954,33299722,386,1000653,2000531,29036990,312,1000238,2000730]},"pktlen": {"min":82,"avg":82.0,"max":82,"stddev":0.0,"var":0.0,"ent":5.0,"data": [82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
+01796{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1113,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329983,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":285,"avg":12093665.0,"max":183800433,"stddev":33303466.0,"var":1109120811794432.0,"ent":2.6,"data": [285,1000432,2000369,14687365,298,1000306,2000399,21831547,409,1000568,2000773,26318883,413,1000363,2000495,41917120,347,1000193,2000827,183800433,319,1000975,2001003,33299664,360,1000743,2000515,29036936,291,1000323,2000677]},"pktlen": {"min":102,"avg":102.0,"max":102,"stddev":0.0,"var":0.0,"ent":5.0,"data": [102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167720101930,"flow_dst_last_pkt_time":1492167720101930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167720101930,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1492167720101930,"flow_dst_last_pkt_time":1492167720101930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167720101930,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8R8JAAEAGzXrAqAFny82XotNnAbsR+WetAAAAAKACchBBBgAAAgQFtAQCCAoAMiBvAAAAAAEDAwc="}
 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1128,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167720353253,"flow_src_last_pkt_time":1492167720353253,"flow_dst_last_pkt_time":1492167720353253,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167720353253,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -364,7 +364,7 @@
 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1178,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722796259,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
 01035{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1178,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167669545491,"flow_src_last_pkt_time":1492167669545491,"flow_dst_last_pkt_time":1492167669545491,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722796259,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System"}}
 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1178,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722796259,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
-01759{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1181,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167729700517,"flow_dst_last_pkt_time":1492167729700473,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7217,"midstream":0,"thread_ts_usec":1492167729700517,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":333,"avg":619262.2,"max":7132743,"stddev":1664228.6,"var":2769657004032.0,"ent":2.7,"data": [356187,356245,409,353317,672,353556,677,668,333,334,2390,365567,364474,5597,381303,26713,2760,403898,13549,5018,378842,57192,418881,4165,370546,28172,433154,6695589,7132743,143519,540660,0]},"pktlen": {"min":66,"avg":492.2,"max":1494,"stddev":547.1,"var":299307.7,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,263,1306,541,66,1003,66,1127,66,1494,66]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1181,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167729700517,"flow_dst_last_pkt_time":1492167729700473,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7217,"midstream":0,"thread_ts_usec":1492167729700517,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":333,"avg":619262.2,"max":7132743,"stddev":1664228.6,"var":2769657004032.0,"ent":2.7,"data": [356187,356245,409,353317,672,353556,677,668,333,334,2390,365567,364474,5597,381303,26713,2760,403898,13549,5018,378842,57192,418881,4165,370546,28172,433154,6695589,7132743,143519,540660]},"pktlen": {"min":66,"avg":492.2,"max":1494,"stddev":547.1,"var":299307.7,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,263,1306,541,66,1003,66,1127,66,1494,66]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247730,"flow_src_last_pkt_time":1492167617247730,"flow_dst_last_pkt_time":1492167617598882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00758{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247730,"flow_src_last_pkt_time":1492167617247730,"flow_dst_last_pkt_time":1492167617598882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247977,"flow_src_last_pkt_time":1492167617247977,"flow_dst_last_pkt_time":1492167617562993,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54110,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
@@ -402,7 +402,7 @@
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1266,"source":"wechat.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_src_last_pkt_time":1492167777476579,"flow_dst_last_pkt_time":1492167777476493,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167777476579,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0XvtAAEAGukDAqAFny82Tq+K3Abv08QbKs2vgPoAQAOVlIAAAAQEICgAyWHdFrtz+"}
 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1268,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167777221018,"flow_dst_last_pkt_time":1492167777494071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167777494071,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01644{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1270,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167777494128,"flow_dst_last_pkt_time":1492167777494665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167777494665,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
-01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1310,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167781392220,"flow_dst_last_pkt_time":1492167781372855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8609,"flow_dst_tot_l4_payload_len":6923,"midstream":0,"thread_ts_usec":1492167781392220,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":433,"avg":285719.9,"max":2508511,"stddev":565344.7,"var":319614582784.0,"ent":3.4,"data": [266637,266706,433,272250,1305,273110,594,572,2940,271769,269630,3217,281421,29714,327642,3217,299639,37418,350851,50937,3180,368575,30208,307140,2227616,3191,2508511,50935,328714,16106,3139,0]},"pktlen": {"min":66,"avg":551.9,"max":1754,"stddev":561.4,"var":315202.6,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1371,1239,443,66,264,66,1306,541,66,1004,66,1306,541,66,1381,66,1239,443]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
+01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1310,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167781392220,"flow_dst_last_pkt_time":1492167781372855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8609,"flow_dst_tot_l4_payload_len":6923,"midstream":0,"thread_ts_usec":1492167781392220,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":433,"avg":285719.9,"max":2508511,"stddev":565344.7,"var":319614582784.0,"ent":3.4,"data": [266637,266706,433,272250,1305,273110,594,572,2940,271769,269630,3217,281421,29714,327642,3217,299639,37418,350851,50937,3180,368575,30208,307140,2227616,3191,2508511,50935,328714,16106,3139]},"pktlen": {"min":66,"avg":551.9,"max":1754,"stddev":561.4,"var":315202.6,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1371,1239,443,66,264,66,1306,541,66,1004,66,1306,541,66,1381,66,1239,443]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}}
 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167619048267,"flow_src_last_pkt_time":1492167654504261,"flow_dst_last_pkt_time":1492167619048267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167782480271,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00758{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167619048267,"flow_src_last_pkt_time":1492167654504261,"flow_dst_last_pkt_time":1492167619048267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167782480271,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167781907538,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167782480271,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -504,7 +504,7 @@
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1432,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":3,"flow_src_last_pkt_time":1492167866495436,"flow_dst_last_pkt_time":1492167866495347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167866495436,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0hOhAAEAGlFPAqAFny82Tq+K5AbuucSvGejQMP4AQAOXl+wAAAQEICgAyr2VFrzPt"}
 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1434,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167866243873,"flow_dst_last_pkt_time":1492167866514555,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167866514555,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
 01644{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1436,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167866514612,"flow_dst_last_pkt_time":1492167866514947,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167866514947,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
-01596{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":181506.0,"max":1577028,"stddev":351924.9,"var":123851137024.0,"ent":3.2,"data": [268280,268366,474,270444,798,270739,392,385,993,969,2788,273097,271415,164,26,13,12,11,1155,289376,22800,22424,9724,380702,1255603,4960,1577028,73342,350958,5989,3258,0]},"pktlen": {"min":66,"avg":559.6,"max":1494,"stddev":599.0,"var":358844.3,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1246,1494,1494,1494,1494,1494,329,66,66,66,157,66,1234,527,66,297,66,1306,541]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0]}}
+01594{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":181506.0,"max":1577028,"stddev":351924.9,"var":123851137024.0,"ent":3.2,"data": [268280,268366,474,270444,798,270739,392,385,993,969,2788,273097,271415,164,26,13,12,11,1155,289376,22800,22424,9724,380702,1255603,4960,1577028,73342,350958,5989,3258]},"pktlen": {"min":66,"avg":559.6,"max":1494,"stddev":599.0,"var":358844.3,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1246,1494,1494,1494,1494,1494,329,66,66,66,157,66,1234,527,66,297,66,1306,541]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0]}}
 01649{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}}
 01050{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1478,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167867786741,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167871050375,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}}
 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1484,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167871323158,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167871323158,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}}
@@ -768,8 +768,8 @@
 ~~ total active/idle flows...: 109/109
 ~~ total timeout flows.......: 1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6717716 bytes
-~~ total memory freed........: 6717716 bytes
+~~ total memory allocated....: 6717280 bytes
+~~ total memory freed........: 6717280 bytes
 ~~ total allocations/frees...: 124856/124856
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/weibo.pcap.out b/test/results/weibo.pcap.out
index 04efeba94..b073da624 100644
--- a/test/results/weibo.pcap.out
+++ b/test/results/weibo.pcap.out
@@ -55,7 +55,7 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":53,"source":"weibo.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1463089072046092,"flow_dst_last_pkt_time":1463089072070732,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1463089072070732,"pkt":"eJKcD6iOkDVu60UQCABFAAA0NhEAADYG4CXYOtRBwKgBaQG7h4sGjBrJ+KmsNoAQAV6y1gAAAQEICiUZAmMAQNzC"}
 01146{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":54,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089071642772,"flow_dst_last_pkt_time":1463089072125117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":5,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":5,"midstream":0,"thread_ts_usec":1463089072125117,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.weibo.com","http": {"url":"www.weibo.com\/login.php?lang=en-us","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.102 Safari\/537.36","detected_os":"Linux x86_64"}}}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":64,"source":"weibo.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1463089071994093,"flow_dst_last_pkt_time":1463089072138578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1463089072138578,"pkt":"eJKcD6iOkDVu60UQCABFAAA0XohAABsGZHc24aPSwKgBaQG7nfhaPbwDA69SioAQAIjCywAAAQEICgEjLGEAQNyy"}
-01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":83,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089072230888,"flow_dst_last_pkt_time":1463089072285673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":12066,"midstream":0,"thread_ts_usec":1463089072285673,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":41615.1,"max":482409,"stddev":113790.6,"var":12948298752.0,"ent":2.5,"data": [29171,29227,299,28208,454492,482409,111,67,13207,13244,85,48,39,29,8363,8394,90,62,24,21,24,24,26,28,15403,15440,68319,68302,68,48,54797,0]},"pktlen": {"min":66,"avg":462.1,"max":2938,"stddev":693.4,"var":480801.9,"ent":3.8,"data": [74,74,66,516,66,71,78,1502,78,1502,78,68,86,1078,78,72,78,2938,78,294,86,68,86,1502,78,819,66,72,66,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":83,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089072230888,"flow_dst_last_pkt_time":1463089072285673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":12066,"midstream":0,"thread_ts_usec":1463089072285673,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":41615.1,"max":482409,"stddev":113790.6,"var":12948298752.0,"ent":2.5,"data": [29171,29227,299,28208,454492,482409,111,67,13207,13244,85,48,39,29,8363,8394,90,62,24,21,24,24,26,28,15403,15440,68319,68302,68,48,54797]},"pktlen": {"min":66,"avg":462.1,"max":2938,"stddev":693.4,"var":480801.9,"ent":3.8,"data": [74,74,66,516,66,71,78,1502,78,1502,78,68,86,1078,78,72,78,2938,78,294,86,68,86,1502,78,819,66,72,66,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072333305,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072333305,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"thread_ts_usec":1463089072333305,"pkt":"kDVu60UQeJKcD6iOCABFAAA9J7BAAEARj0XAqAFpwKgBAdEnADUAKd+0rc0BAAABAAAAAAAAA2ltZwF0BnNpbmFqcwJjbgAAAQAB"}
 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072333305,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072333305,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"img.t.sinajs.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -79,8 +79,8 @@
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072885992,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072885992,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089072885992,"pkt":"kDVu60UQeJKcD6iOCABFAAA8J\/lAAEARjv3AqAFpwKgBAaGIADUAKAcnK+gBAAABAAAAAAAAAmpzAXQGc2luYWpzAmNuAAABAAE="}
 01004{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072885992,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072885992,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"js.t.sinajs.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
-01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":202,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445053,"flow_src_last_pkt_time":1463089073026834,"flow_dst_last_pkt_time":1463089073029617,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":432,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":432,"flow_dst_tot_l4_payload_len":20099,"midstream":0,"thread_ts_usec":1463089073029617,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":37624.0,"max":314329,"stddev":71528.6,"var":5116344832.0,"ent":3.5,"data": [26765,26778,207,31365,283150,314329,2585,2590,16662,16689,12849,12816,59,38,45726,45760,5061,5035,70980,70980,5479,5518,32285,32296,43007,42980,3236,3222,2548,2543,2807,0]},"pktlen": {"min":66,"avg":710.7,"max":2938,"stddev":831.3,"var":691142.8,"ent":4.1,"data": [74,74,66,498,66,580,66,1502,66,2938,66,1502,66,1078,78,1502,66,893,66,580,78,2938,78,1502,78,1502,78,1502,78,1502,78,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
-01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":218,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445019,"flow_src_last_pkt_time":1463089073075846,"flow_dst_last_pkt_time":1463089073079547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":420,"flow_dst_max_l4_payload_len":4308,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":24521,"midstream":0,"thread_ts_usec":1463089073079547,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":151,"avg":40817.9,"max":400547,"stddev":92805.4,"var":8612838400.0,"ent":3.2,"data": [26749,26781,151,28232,372448,400547,6653,6652,6583,6577,15474,15480,6563,6553,9179,9174,23391,23365,49260,49303,71669,71670,3337,3323,2937,2940,2804,2796,5515,5515,3734,0]},"pktlen": {"min":66,"avg":847.8,"max":4374,"stddev":1162.9,"var":1352437.0,"ent":3.9,"data": [74,74,66,486,66,581,66,1502,66,4374,66,1502,66,4374,66,2938,66,581,78,581,78,1502,66,1502,66,1502,78,1502,78,1502,78,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":202,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445053,"flow_src_last_pkt_time":1463089073026834,"flow_dst_last_pkt_time":1463089073029617,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":432,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":432,"flow_dst_tot_l4_payload_len":20099,"midstream":0,"thread_ts_usec":1463089073029617,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":37624.0,"max":314329,"stddev":71528.6,"var":5116344832.0,"ent":3.5,"data": [26765,26778,207,31365,283150,314329,2585,2590,16662,16689,12849,12816,59,38,45726,45760,5061,5035,70980,70980,5479,5518,32285,32296,43007,42980,3236,3222,2548,2543,2807]},"pktlen": {"min":66,"avg":710.7,"max":2938,"stddev":831.3,"var":691142.8,"ent":4.1,"data": [74,74,66,498,66,580,66,1502,66,2938,66,1502,66,1078,78,1502,66,893,66,580,78,2938,78,1502,78,1502,78,1502,78,1502,78,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":218,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445019,"flow_src_last_pkt_time":1463089073075846,"flow_dst_last_pkt_time":1463089073079547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":420,"flow_dst_max_l4_payload_len":4308,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":24521,"midstream":0,"thread_ts_usec":1463089073079547,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":151,"avg":40817.9,"max":400547,"stddev":92805.4,"var":8612838400.0,"ent":3.2,"data": [26749,26781,151,28232,372448,400547,6653,6652,6583,6577,15474,15480,6563,6553,9179,9174,23391,23365,49260,49303,71669,71670,3337,3323,2937,2940,2804,2796,5515,5515,3734]},"pktlen": {"min":66,"avg":847.8,"max":4374,"stddev":1162.9,"var":1352437.0,"ent":3.9,"data": [74,74,66,486,66,581,66,1502,66,4374,66,1502,66,4374,66,2938,66,581,78,581,78,1502,66,1502,66,1502,78,1502,78,1502,78,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073286278,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073286278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1463089073286278,"pkt":"kDVu60UQeJKcD6iOCABFAABDKCFAAEARjs7AqAFpwKgBAUZzADUAL2deWFEBAAABAAAAAAAAAnUxA2ltZwZtb2JpbGUEc2luYQJjbgAAAQAB"}
 01011{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073286278,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073286278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"u1.img.mobile.sina.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}}
@@ -173,9 +173,9 @@
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"weibo.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073788865,"flow_dst_last_pkt_time":1463089073788865,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089073788865,"pkt":"kDVu60UQeJKcD6iOCABFAAA8M4FAAEAGYnrAqAFpKpy4E8wyAbubxznpAAAAAKACchCC5wAAAgQFtAQCCAoAQQpoAAAAAAEDAwc="}
 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":441,"source":"weibo.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073789999,"flow_src_last_pkt_time":1463089073789999,"flow_dst_last_pkt_time":1463089073789999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073789999,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.170.63","src_port":47723,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"weibo.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073789999,"flow_dst_last_pkt_time":1463089073789999,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089073789999,"pkt":"kDVu60UQeJKcD6iOCABFAAA8F+ZAAEAGKbjAqAFpjM2qP7prAbvY7h2OAAAAAKACchAfhQAAAgQFtAQCCAoAQQpoAAAAAAEDAwc="}
-01756{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":444,"source":"weibo.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445071,"flow_src_last_pkt_time":1463089073791996,"flow_dst_last_pkt_time":1463089073794639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":459,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":13850,"midstream":0,"thread_ts_usec":1463089073794639,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35805,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":259,"avg":86983.6,"max":438815,"stddev":119331.4,"var":14239989760.0,"ent":3.8,"data": [26772,26783,259,31384,276129,307295,6901,6886,153887,153903,2935,2946,375915,438815,4367,67220,2924,2959,31457,31439,138473,138467,6109,6114,4495,4505,193484,193526,28775,28708,2661,0]},"pktlen": {"min":66,"avg":528.0,"max":1502,"stddev":578.7,"var":334896.4,"ent":4.2,"data": [74,74,66,476,66,577,66,1026,66,577,78,1026,78,525,66,494,66,1502,66,494,78,1502,66,1502,66,1502,66,1502,78,1502,66,1502]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
-01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":450,"source":"weibo.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073321163,"flow_src_last_pkt_time":1463089073801051,"flow_dst_last_pkt_time":1463089073804152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":484,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":484,"flow_dst_tot_l4_payload_len":18086,"midstream":0,"thread_ts_usec":1463089073804152,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35807,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":31060.5,"max":183686,"stddev":54622.5,"var":2983621632.0,"ent":3.4,"data": [62151,62179,142,161101,22711,183686,5733,5740,2565,2546,10538,10551,5220,5299,3225,3182,2451,2404,5526,5539,2866,2854,2576,2563,4789,4821,162100,162064,26294,26318,3143,0]},"pktlen": {"min":66,"avg":647.2,"max":1502,"stddev":674.0,"var":454231.7,"ent":4.1,"data": [74,74,66,550,66,493,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,493,78,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
-01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":495,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073334322,"flow_src_last_pkt_time":1463089073888564,"flow_dst_last_pkt_time":1463089073891278,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":473,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":473,"flow_dst_tot_l4_payload_len":18114,"midstream":0,"thread_ts_usec":1463089073891278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":35845.1,"max":252228,"stddev":55584.3,"var":3089619200.0,"ent":3.8,"data": [50173,50197,137,181460,70884,252228,2685,2690,2552,2523,4210,4257,31840,31804,8134,8135,11411,11401,8727,8746,2645,2641,7148,7148,13606,13617,66334,66313,92394,92405,2753,0]},"pktlen": {"min":66,"avg":647.7,"max":1502,"stddev":673.8,"var":454044.4,"ent":4.1,"data": [74,74,66,539,66,507,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,507,78,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":444,"source":"weibo.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445071,"flow_src_last_pkt_time":1463089073791996,"flow_dst_last_pkt_time":1463089073794639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":459,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":13850,"midstream":0,"thread_ts_usec":1463089073794639,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35805,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":259,"avg":86983.6,"max":438815,"stddev":119331.4,"var":14239989760.0,"ent":3.8,"data": [26772,26783,259,31384,276129,307295,6901,6886,153887,153903,2935,2946,375915,438815,4367,67220,2924,2959,31457,31439,138473,138467,6109,6114,4495,4505,193484,193526,28775,28708,2661]},"pktlen": {"min":66,"avg":528.0,"max":1502,"stddev":578.7,"var":334896.4,"ent":4.2,"data": [74,74,66,476,66,577,66,1026,66,577,78,1026,78,525,66,494,66,1502,66,494,78,1502,66,1502,66,1502,66,1502,78,1502,66,1502]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":450,"source":"weibo.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073321163,"flow_src_last_pkt_time":1463089073801051,"flow_dst_last_pkt_time":1463089073804152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":484,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":484,"flow_dst_tot_l4_payload_len":18086,"midstream":0,"thread_ts_usec":1463089073804152,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35807,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":31060.5,"max":183686,"stddev":54622.5,"var":2983621632.0,"ent":3.4,"data": [62151,62179,142,161101,22711,183686,5733,5740,2565,2546,10538,10551,5220,5299,3225,3182,2451,2404,5526,5539,2866,2854,2576,2563,4789,4821,162100,162064,26294,26318,3143]},"pktlen": {"min":66,"avg":647.2,"max":1502,"stddev":674.0,"var":454231.7,"ent":4.1,"data": [74,74,66,550,66,493,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,493,78,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
+01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":495,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073334322,"flow_src_last_pkt_time":1463089073888564,"flow_dst_last_pkt_time":1463089073891278,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":473,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":473,"flow_dst_tot_l4_payload_len":18114,"midstream":0,"thread_ts_usec":1463089073891278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":35845.1,"max":252228,"stddev":55584.3,"var":3089619200.0,"ent":3.8,"data": [50173,50197,137,181460,70884,252228,2685,2690,2552,2523,4210,4257,31840,31804,8134,8135,11411,11401,8727,8746,2645,2641,7148,7148,13606,13617,66334,66313,92394,92405,2753]},"pktlen": {"min":66,"avg":647.7,"max":1502,"stddev":673.8,"var":454044.4,"ent":4.1,"data": [74,74,66,539,66,507,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,507,78,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}}
 00757{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1463089073394759,"flow_src_last_pkt_time":1463089073773797,"flow_dst_last_pkt_time":1463089073773608,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":428,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":428,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42275,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00886{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073537120,"flow_src_last_pkt_time":1463089073537120,"flow_dst_last_pkt_time":1463089073537120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00753{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073537120,"flow_src_last_pkt_time":1463089073537120,"flow_dst_last_pkt_time":1463089073537120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
@@ -250,10 +250,10 @@
 ~~ total active/idle flows...: 44/44
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6124365 bytes
-~~ total memory freed........: 6124365 bytes
+~~ total memory allocated....: 6124189 bytes
+~~ total memory freed........: 6124189 bytes
 ~~ total allocations/frees...: 122474/122474
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1761 chars
-~~ json string avg len.......: 1125 chars
+~~ json string max len.......: 1759 chars
+~~ json string avg len.......: 1124 chars
diff --git a/test/results/whatsapp.pcap.out b/test/results/whatsapp.pcap.out
index 4d6c1a815..b5c715e49 100644
--- a/test/results/whatsapp.pcap.out
+++ b/test/results/whatsapp.pcap.out
@@ -585,8 +585,8 @@
 ~~ total active/idle flows...: 86/86
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6369844 bytes
-~~ total memory freed........: 6369844 bytes
+~~ total memory allocated....: 6369500 bytes
+~~ total memory freed........: 6369500 bytes
 ~~ total allocations/frees...: 123102/123102
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 493 chars
diff --git a/test/results/whatsapp_login_call.pcap.out b/test/results/whatsapp_login_call.pcap.out
index 293a4af72..71fee60f3 100644
--- a/test/results/whatsapp_login_call.pcap.out
+++ b/test/results/whatsapp_login_call.pcap.out
@@ -72,16 +72,16 @@
 01184{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228503997,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":540,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":540,"pkt_l4_len":506,"thread_ts_usec":1432582228504689,"pkt":"xiwDYGpkAPS5Jrv0CABFAAIO1F9AAEAGq2HAqAIEEW7lDsApFGe4aFEm1IsaTIAYIACssAAAAQEICi36MxJvhmvfY2JtdD6CZ3s26zaizYDBa1\/xV9+nfluOxtxa1tx195Jafsz52yXEOESrPvfo4L8JAAp0DYIaansHyOlB83T10iMEgMWpntVaGhVYz7Ui4c09FkbWN9q+65\/aqUq4TUrgzMyqE5QUWhXZSc\/uGC0icKHu+b2FL4NHGUs7nYDs8Xc0v0flHk5486jecRIc\/ROiqHyACG3C0wwDLYD5dPHsc+oO3YTdMQHp\/Y5aWShkoF9bF0dA6YegCOYLbVQKFU7DAdWxqhRRjje8xXf+tC7iVD+agcMxzHZHBdPvzUlsa6Hnp2KvOrzs9LBI3\/AlWnTDSOZNp+mWgK4MB2zxE5cEBsbimybYF8snsRtPtIBkMUfF1XAd9wg4sSCboXV1ik63xPuzTMdOxIRWWE26PTSksHKRu47JqvdF18Y85LvvQvIIft9jAMxZNM1JpDNK3xHTwcbI8OJ5ZzkwaDArtx1Yo+du+Za4kNeW1j1f7jlL58\/xs\/9pH231BKAPZrpjtiVLnSRVafACBd5M5lgbO1u\/aSBlmIQ\/UK6DM\/jen1DGM+xWiz3ABAYXKSpL6XfsJZ+dpwtcFktAw18x3fF8GSC0\/zgV+SA55WfIkN+qTLtYiq6ct7jHTceCT8cS"}
 00878{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":82,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582228593505,"flow_dst_last_pkt_time":1432582228041916,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":166,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":166,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582228593505,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228753368,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582228753368,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0JuMAAC8Gq7gRbuUOwKgCBBRnwCnUixpMuGhRJoAQAQ6R7QAAAQEICm+GjQ4t+jMS"}
-01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":119895.3,"max":712466,"stddev":179472.3,"var":32210292736.0,"ent":3.4,"data": [281831,283163,8705,294373,1121,35,286034,828,475,587,39758,240,307,326381,1436,373,2981,289942,5828,471,9,317531,1875,68938,587,382640,405162,707,17,712466,1952,0]},"pktlen": {"min":54,"avg":446.9,"max":1494,"stddev":595.1,"var":354099.2,"ent":3.9,"data": [78,66,54,244,1494,1494,585,54,54,54,54,321,60,91,54,54,54,97,54,1494,1494,167,54,54,1494,1210,54,1494,1494,167,54,54]},"bins": {"c_to_s": [9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1]}}
+01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":119895.3,"max":712466,"stddev":179472.3,"var":32210292736.0,"ent":3.4,"data": [281831,283163,8705,294373,1121,35,286034,828,475,587,39758,240,307,326381,1436,373,2981,289942,5828,471,9,317531,1875,68938,587,382640,405162,707,17,712466,1952]},"pktlen": {"min":54,"avg":446.9,"max":1494,"stddev":595.1,"var":354099.2,"ent":3.9,"data": [78,66,54,244,1494,1494,585,54,54,54,54,321,60,91,54,54,54,97,54,1494,1494,167,54,54,1494,1210,54,1494,1494,167,54,54]},"bins": {"c_to_s": [9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1]}}
 01505{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"query.ess.apple.com","tls": {"version":"TLSv1.2","server_names":"*.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US","fingerprint":"BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B"}}}
 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":137,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230648273,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1432582230648273,"pkt":"xiwDYGpkAPS5Jrv0CABFAABAZppAAEAGvV7AqAIEEa1CZsA0AbuMr4Y\/AAAAALAC\/\/\/iDQAAAgQFtAEDAwQBAQgKLfo7WAAAAAAEAgAA"}
-01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":199246.8,"max":709350,"stddev":171222.4,"var":29317117952.0,"ent":4.4,"data": [153871,242175,244771,708056,709350,35643,213202,306,145666,324955,262756,250323,148242,98446,249378,163432,164508,351063,174021,177975,4,178327,331,171720,16,302683,276,301856,4,204047,0,0]},"pktlen": {"min":66,"avg":116.8,"max":267,"stddev":60.8,"var":3698.6,"ent":4.8,"data": [78,74,66,66,232,144,87,66,66,267,98,85,87,66,241,98,66,132,98,198,98,98,200,66,99,99,266,66,99,99,99,132]},"bins": {"c_to_s": [9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":199246.8,"max":709350,"stddev":171222.4,"var":29317117952.0,"ent":4.4,"data": [153871,242175,244771,708056,709350,35643,213202,306,145666,324955,262756,250323,148242,98446,249378,163432,164508,351063,174021,177975,4,178327,331,171720,16,302683,276,301856,4,204047]},"pktlen": {"min":66,"avg":116.8,"max":267,"stddev":60.8,"var":3698.6,"ent":4.8,"data": [78,74,66,66,232,144,87,66,66,267,98,85,87,66,241,98,66,132,98,198,98,98,200,66,99,99,266,66,99,99,99,132]},"bins": {"c_to_s": [9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":142,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582230787552,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0jEsAAO8GKLkRrUJmwKgCBAG7wDR81DyUjK+GQIASH\/6qEgAAAgQFoAEDAwQBAQQC"}
 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1432582230854807,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432582230854807,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoLotAAEAG9YXAqAIEEa1CZsA0AbuMr4ZAfNQ8lVAQQADKywAA"}
 01198{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":146,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230862990,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230862990,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":148,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230862990,"flow_dst_last_pkt_time":1432582231003264,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1432582231003264,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}}
-01873{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":177,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582231572130,"flow_dst_last_pkt_time":1432582231504448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5225,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582231572130,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":57420.4,"max":246332,"stddev":88943.3,"var":7910914560.0,"ent":3.4,"data": [139279,206534,8183,215650,62,2706,195534,776,251,20,1876,267,2144,191589,2382,13135,3735,6431,14684,18,200945,301,63298,290,2226,246332,5270,14887,15,241033,179,0]},"pktlen": {"min":54,"avg":303.3,"max":1494,"stddev":408.5,"var":166890.9,"ent":4.0,"data": [78,66,54,281,54,146,91,54,54,60,91,1494,531,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}}
+01871{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":177,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582231572130,"flow_dst_last_pkt_time":1432582231504448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5225,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582231572130,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":57420.4,"max":246332,"stddev":88943.3,"var":7910914560.0,"ent":3.4,"data": [139279,206534,8183,215650,62,2706,195534,776,251,20,1876,267,2144,191589,2382,13135,3735,6431,14684,18,200945,301,63298,290,2226,246332,5270,14887,15,241033,179]},"pktlen": {"min":54,"avg":303.3,"max":1494,"stddev":408.5,"var":166890.9,"ent":4.0,"data": [78,66,54,281,54,146,91,54,54,60,91,1494,531,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}}
 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":183,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582233314493,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233314493,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582233314493,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"93.186.135.8","src_port":49192,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233314493,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582233314493,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA0kh5AAEAGATfAqAIEXbqHCMAoAFBgmxszxhyTY4ARIABAdgAAAQEICi36RbdjLQIx"}
 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233380398,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582233380398,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0ewoAADkGX0tduocIwKgCBABQwCjGHJNjYJsbNIAQAebnbwAAAQEICmMteVEt+kW3"}
@@ -178,7 +178,7 @@
 00915{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1432582258825375,"flow_dst_last_pkt_time":1432582258815685,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1432582258825375,"pkt":"xiwDYGpkAPS5Jrv0CABFwAFIgM0AAEARKS3AqAIEW\/2wQck+JIABNDV+gPhBLgAAPABUWSgkrOczzTmmNaWeHGyeFn5K8vlkangPxwACY7IwMpCpL5qUBEDYknjmXwiwt1Sg\/GoDEpuWps7K3BPScguv1CoIPKC+VL4kk69VBQy2eU1f6p0OhYSXKAcM\/9HmK5KZeJJnhjzxZ+J\/AtWZs+X8uDaujdvMYKyUONaU\/07PQLiEd81h3NGLNxCpTNYPkmMGXMy1y+UaiUzN89zB2\/RkHbLVqN6e+nvnnRR2frMRlVsFWAJQmXtD929e1+a2u\/RdJfu15HCbSLl3jTXDbl84mpeVYYxkc3LSpxB7HrCYZEpYcCniVsfACmA6zpHVbv1BlaoQu+KuUWJT2eQ73+Vh12sP5aPix21kFcGvLfE3UalmxPkTCEhiCOUQRQbTvOcEo103"}
 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1432582259254832,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582259254832,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIbNAAAEAR7efAqAIEAcJav8k+65gANKlVAAEAGCESpEKmTTdqxAPLVFlkZFwACAAUe9SyVdo3\/CPkaMOU00d3jUs\/Tzg="}
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":362,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_src_last_pkt_time":1432582259886962,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582259886962,"pkt":"xiwDYGpkAPS5Jrv0CABFwABI77MAAEARawTAqAIEAcJav8k+65gANKqSAAEAGCESpEK30Ms3\/7rzJdDOeSQACAAUjiMqFpbreAaLOXedI1Eon++y9eE="}
-01913{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":378,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582260754649,"flow_dst_last_pkt_time":1432582260775626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":309,"flow_dst_max_l4_payload_len":289,"flow_src_tot_l4_payload_len":3471,"flow_dst_tot_l4_payload_len":2001,"midstream":0,"thread_ts_usec":1432582260775626,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":44,"avg":131289.3,"max":352421,"stddev":70223.6,"var":4931354624.0,"ent":4.7,"data": [85532,95222,66134,60379,102693,208383,184141,159624,139073,188537,352421,23426,152856,55080,31139,91630,61,141160,44,163250,159227,188593,161930,163639,162107,156758,164890,143228,181638,163297,123877,0]},"pktlen": {"min":64,"avg":213.0,"max":351,"stddev":98.8,"var":9763.6,"ent":4.8,"data": [86,86,342,86,86,315,225,311,248,315,220,148,64,249,199,148,137,68,260,68,274,134,351,117,315,117,319,243,320,331,329,305]},"bins": {"c_to_s": [1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01911{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":378,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582260754649,"flow_dst_last_pkt_time":1432582260775626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":309,"flow_dst_max_l4_payload_len":289,"flow_src_tot_l4_payload_len":3471,"flow_dst_tot_l4_payload_len":2001,"midstream":0,"thread_ts_usec":1432582260775626,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":44,"avg":131289.3,"max":352421,"stddev":70223.6,"var":4931354624.0,"ent":4.7,"data": [85532,95222,66134,60379,102693,208383,184141,159624,139073,188537,352421,23426,152856,55080,31139,91630,61,141160,44,163250,159227,188593,161930,163639,162107,156758,164890,143228,181638,163297,123877]},"pktlen": {"min":64,"avg":213.0,"max":351,"stddev":98.8,"var":9763.6,"ent":4.8,"data": [86,86,342,86,86,315,225,311,248,315,220,148,64,249,199,148,137,68,260,68,274,134,351,117,315,117,319,243,320,331,329,305]},"bins": {"c_to_s": [1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00737{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582267983119,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3}
 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1432582267983119,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA44FwAAEABy33AqAIEW\/2wQQMDDx4AAAAARQAANHIMAAAvEUrCW\/2wQcCoAgQkgMk+ACAAAA=="}
 00862{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582267983119,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.105516}}
@@ -273,7 +273,7 @@
 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":965,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1432582303607918,"flow_dst_last_pkt_time":1432582303604793,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582303607918,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIbOUAAEARPhXAqAIEW\/2wQc46JcEANIk8AQEAGCESpEIU61RZ3ZsVVlL2qyQACAAU6CFWVCyx0lHi4kItE160ER18SxI="}
 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":972,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1432582303831637,"flow_dst_last_pkt_time":1432582303186638,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582303831637,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIdWcAAEAR5VDAqAIEAcJav846yg8ANHIiAAEAGCESpEJT9nMzid0wAn5OIFYACAAUj7UY3ZixJKF1uir6vHE5QBib28w="}
 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":985,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":3,"flow_src_last_pkt_time":1432582304464260,"flow_dst_last_pkt_time":1432582303186638,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582304464260,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIRQUAAEARFbPAqAIEAcJav846yg8ANIW7AAEAGCESpEIZoNpuKgJFUxs+kVcACAAURUHG5kUyySWGpYslvS2cuO+ddv8="}
-01903{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":999,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432582303300524,"flow_src_last_pkt_time":1432582305119064,"flow_dst_last_pkt_time":1432582305008654,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":1888,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1432582305119064,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":52794,"dst_port":9665,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":113763.5,"max":307394,"stddev":86013.0,"var":7398240768.0,"ent":4.5,"data": [304269,307394,8384,89918,31917,6521,226162,154173,40,188009,271,163937,163420,160100,21775,153703,73,168136,122602,138908,158523,186698,16232,65895,114250,83709,193240,164541,1311,77123,55436,0]},"pktlen": {"min":68,"avg":155.0,"max":320,"stddev":58.8,"var":3453.3,"ent":4.9,"data": [86,86,86,86,86,148,138,320,181,68,246,148,242,226,117,148,165,68,186,170,175,186,170,148,128,154,219,154,223,68,148,185]},"bins": {"c_to_s": [1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
+01901{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":999,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432582303300524,"flow_src_last_pkt_time":1432582305119064,"flow_dst_last_pkt_time":1432582305008654,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":1888,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1432582305119064,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":52794,"dst_port":9665,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":113763.5,"max":307394,"stddev":86013.0,"var":7398240768.0,"ent":4.5,"data": [304269,307394,8384,89918,31917,6521,226162,154173,40,188009,271,163937,163420,160100,21775,153703,73,168136,122602,138908,158523,186698,16232,65895,114250,83709,193240,164541,1311,77123,55436]},"pktlen": {"min":68,"avg":155.0,"max":320,"stddev":58.8,"var":3453.3,"ent":4.9,"data": [86,86,86,86,86,148,138,320,181,68,246,148,242,226,117,148,165,68,186,170,175,186,170,148,128,154,219,154,223,68,148,185]},"bins": {"c_to_s": [1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 01191{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1022,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1432582306376756,"flow_dst_last_pkt_time":1432582246280217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1432582306376756,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAIS5VYAAEARDTTAqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="}
 01076{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1188,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":186,"flow_dst_packets_processed":278,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582267934161,"flow_dst_last_pkt_time":1432582268457283,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":483,"flow_dst_max_l4_payload_len":446,"flow_src_tot_l4_payload_len":19213,"flow_dst_tot_l4_payload_len":14219,"midstream":0,"thread_ts_usec":1432582311138615,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00887{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1188,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582311138615,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582311138615,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}}
@@ -304,7 +304,7 @@
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1219,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_src_last_pkt_time":1432582355478348,"flow_dst_last_pkt_time":1432582355393148,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432582355478348,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoTu9AAEAG1SHAqAIEEa1CZsA1Abt+ckUkpMYmoFAQQAAIJwAA"}
 01199{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1220,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582355482566,"flow_dst_last_pkt_time":1432582355393148,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582355482566,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}}
 01242{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1222,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582355482566,"flow_dst_last_pkt_time":1432582355622106,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1432582355622106,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}}
-01873{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":57713.9,"max":271808,"stddev":91895.6,"var":8444797952.0,"ent":3.3,"data": [139873,225073,4218,228888,70,2672,200693,278,1388,194,2268,310,435,198176,1008,14244,4721,5042,13250,23,199875,308,34695,427,52,217025,5837,15994,11,271808,275,0]},"pktlen": {"min":54,"avg":303.3,"max":1494,"stddev":408.5,"var":166876.7,"ent":4.0,"data": [78,66,54,281,54,146,91,54,54,60,91,1494,530,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}}
+01871{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":57713.9,"max":271808,"stddev":91895.6,"var":8444797952.0,"ent":3.3,"data": [139873,225073,4218,228888,70,2672,200693,278,1388,194,2268,310,435,198176,1008,14244,4721,5042,13250,23,199875,308,34695,427,52,217025,5837,15994,11,271808,275]},"pktlen": {"min":54,"avg":303.3,"max":1494,"stddev":408.5,"var":166876.7,"ent":4.0,"data": [78,66,54,281,54,146,91,54,54,60,91,1494,530,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}}
 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224235628,"flow_src_last_pkt_time":1432582224264733,"flow_dst_last_pkt_time":1432582224263291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"5.178.42.26","src_port":49174,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
 00763{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224235628,"flow_src_last_pkt_time":1432582224264733,"flow_dst_last_pkt_time":1432582224263291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"5.178.42.26","src_port":49174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00899{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224210874,"flow_src_last_pkt_time":1432582224240462,"flow_dst_last_pkt_time":1432582224238952,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"93.186.135.82","src_port":49173,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}}
@@ -406,8 +406,8 @@
 ~~ total active/idle flows...: 57/57
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6206006 bytes
-~~ total memory freed........: 6206006 bytes
+~~ total memory allocated....: 6205778 bytes
+~~ total memory freed........: 6205778 bytes
 ~~ total allocations/frees...: 123314/123314
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/whatsapp_login_chat.pcap.out b/test/results/whatsapp_login_chat.pcap.out
index afc73fab8..d1441650f 100644
--- a/test/results/whatsapp_login_chat.pcap.out
+++ b/test/results/whatsapp_login_chat.pcap.out
@@ -18,7 +18,7 @@
 01165{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1432582381179706,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":531,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":531,"pkt_l4_len":497,"thread_ts_usec":1432582381179706,"pkt":"xiwDYGpkAPS5Jrv0CABFAAIFAqxAAEAGH4jAqAIEEa1CZsA1Abt+cl8spMYxPVAYQAAK4wAA+zXxkGmxqmlJcwlR7TpHpRtDDy9iaRt9w+hOFsERXuy8gwV22TTGXYqWLP3aSg0FRpPNh6b2JxTA9OSkJEk04NCfWqJRauLthWRuA7XoVn8i6Smk+coAOa3u15Yq91KVTfK0Likn42RkhoMCTU67u6i6Y4GW7d7uWiM6L3uLokbbGTmGs29u3afEGnNWZwLcuyp6rGxmPmWxvxgkiNCzEIsj5+jDbrTqLXDyyF322ZG7ztnAr92I1EUwbaElkdT9P28rYnazLdDX3NtrMNZoVpJg+JtJ\/7kZqQ2Wqzmg\/a3xXi4EVY3r6CTewAoUnubR3Qb8d8SxZWO8dXB980UXO8ObJWaEL5I20Sp30w7kYXi8hv4VgTLwR\/5GH+diyQKZuXNNplXdUL9qR0BnzfYHcTgjG28TOg74dTk611xDBeVR4Itg6rhO4EXCbpfiRmK6bb3CXGkaTCMHxUnezI+xc2Wog+XxCXrGyOiN2uGEyOBaMLxsAdU\/WfMK5Hg2kk6QV97kZZAhmz0GEeQIuwbiHtXsFgOmiLHGkBFU3uvrL2U0AIsy\/dg28ProYM\/UVKotXUmjaEkwo4XPHqyzoqhSMSd8fGbpRTWD+Jj7SG1OLSQLZ6OzyLhulPpesWWw"}
 00876{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582381179706,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":477,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1917,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582381179706,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 01281{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1432582381179774,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":610,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":610,"pkt_l4_len":576,"thread_ts_usec":1432582381179774,"pkt":"xiwDYGpkAPS5Jrv0CABFAAJULUhAAEAG9JzAqAIEEa1CZsA1Abt+cmEJpMYxPVAYQAAkaQAAFwMDAifRP6n1iN3uB\/Uhy6B3MN22nTeVXJRqDhAyLGWagzjVPV67eGMiWlDpxIYk9ZRXb8ENyJMklAVg5qQxAfredM796d1woE5CM\/dDlnC9hhfBLqlOMT0Sc23vnR6S0CtE+vcI2IEc50YYFIr8cCuBcLPUtehQ+6FiIBzPUNdC8gBpCK0l8ehCaB6UsJ+9Lz+rqI7LymD80O7JD9GQGlEzf0ROrOYPwKN9oloslBYMUuNcVtuTSnZlQf6clnYgiVqjkPEIWZnj1\/SzJxC0XzXDZTCazzjZUphrvHsUFVKI\/iQfQLn2Pm20z\/bY+umTrESbc\/Rb\/jTAxKkWPlTguW5QNPTgHe+8CLbu8GlNIUhp6XnzV0lotZMlMuaBJakvd6GmWA8qWeiSGeNI8Nxabsp54T+pQf+cFTWMVSzn894mO+DZZ3gtq32z87kDjYiMhE2jHBbOrnjFvxmtQtZu7lyboSLDYh55cOzJECLrbK8MSRuDtHOP5G6iepYtPwv3WMGLCV+hTD9hULIUKlQnW8NxmNPf6x7m2WXh+T5KFO1k2GNZTSM8sWZLLJiGPB3r5p1nS3ObF9UaRS1rU\/+0JK5FT6PVQl\/T6rcJ66cGodbOS0a03YtqhfdlphEfqQSNy4IBPyE7+TYhqlI5kH8vw+oFYBVtxUinzFEEO03Tz6ey1LN8P\/4vb9rv1pyNfFxaNarK\/6\/1noAhKaU7nGWU\/L6Er+GI\/BOXYTn7Ng=="}
-01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582384764367,"flow_dst_last_pkt_time":1432582384691063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":11339,"flow_dst_tot_l4_payload_len":3880,"midstream":1,"thread_ts_usec":1432582384764367,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":228923.6,"max":3030585,"stddev":711161.6,"var":505750847488.0,"ent":2.0,"data": [307,68,156057,6041,20562,3,205015,214,59650,355,76,237850,6388,13739,3,246436,156,2803227,690,58,155,163,149,3030585,5762,13968,11,3,10327,10365,268249,0]},"pktlen": {"min":54,"avg":529.6,"max":1494,"stddev":518.7,"var":269058.2,"ent":4.3,"data": [1494,531,610,54,54,1000,400,54,54,1494,538,610,54,54,1002,400,54,54,1494,531,610,1494,1254,1254,54,54,1002,400,54,54,54,127]},"bins": {"c_to_s": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
+01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582384764367,"flow_dst_last_pkt_time":1432582384691063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":11339,"flow_dst_tot_l4_payload_len":3880,"midstream":1,"thread_ts_usec":1432582384764367,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":228923.6,"max":3030585,"stddev":711161.6,"var":505750847488.0,"ent":2.0,"data": [307,68,156057,6041,20562,3,205015,214,59650,355,76,237850,6388,13739,3,246436,156,2803227,690,58,155,163,149,3030585,5762,13968,11,3,10327,10365,268249]},"pktlen": {"min":54,"avg":529.6,"max":1494,"stddev":518.7,"var":269058.2,"ent":4.3,"data": [1494,531,610,54,54,1000,400,54,54,1494,538,610,54,54,1002,400,54,54,1494,531,610,1494,1254,1254,54,54,1002,400,54,54,54,127]},"bins": {"c_to_s": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}}
 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582396509617,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":502,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582396509617,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 01188{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1432582396509617,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAISQPEAAEARsZnAqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="}
 00879{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582396509617,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":502,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582396509617,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}}
@@ -57,8 +57,8 @@
 ~~ total active/idle flows...: 9/9
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6059418 bytes
-~~ total memory freed........: 6059418 bytes
+~~ total memory allocated....: 6059382 bytes
+~~ total memory freed........: 6059382 bytes
 ~~ total allocations/frees...: 121659/121659
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/whatsapp_voice_and_message.pcap.out b/test/results/whatsapp_voice_and_message.pcap.out
index 83c1b2956..90ca5652f 100644
--- a/test/results/whatsapp_voice_and_message.pcap.out
+++ b/test/results/whatsapp_voice_and_message.pcap.out
@@ -45,7 +45,7 @@
 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820571488232,"flow_src_last_pkt_time":1432820571488232,"flow_dst_last_pkt_time":1432820571488232,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":126,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820571488232,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.73.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}}
 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1432820571488232,"flow_dst_last_pkt_time":1432820571716839,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432820571716839,"pkt":"ABoRAAACABoRAAABCABFAABIABxAABAR+EMfDUkwCggAAQ2W0XQANGvUAQMAGCESpEIAAOlKSWdSWOu7U1cAIAAIAAGOsJ6wzx5AAgAIAAABTZrC3xA="}
 00683{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1432820571716900,"flow_dst_last_pkt_time":1432820571716839,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":168,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":168,"pkt_l4_len":134,"thread_ts_usec":1432820571716900,"pkt":"ABoRAAACABoRAAABCABFwACaAABAAEARx00KCAABHw1JMNF0DZYAhta5AAMAaiESpEIAAOlKSWdSWOu7U1dAAABmAQCy86Qxc0\/TrfZVVa\/eTEZDohPoeRLoRZc1aFVhrGc1f8RW2vMjT5P8rAsiwZ+p9NloXItIT0xPBspixBWhh83rOo673FqXfKhsmqCbgcYysEXxS1G0BQlmTNaw3EzKh7wFRa3N"}
-01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":64,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432820558921094,"flow_src_last_pkt_time":1432820571925000,"flow_dst_last_pkt_time":1432820571924969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":415,"flow_src_tot_l4_payload_len":984,"flow_dst_tot_l4_payload_len":706,"midstream":0,"thread_ts_usec":1432820571925000,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"184.173.179.46","src_port":35480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":838960.6,"max":10748901,"stddev":2599895.5,"var":6759456964608.0,"ent":2.2,"data": [61035,61126,147705,147918,346802,397248,61,50507,310058,310119,199799,397950,91,198181,50507,50568,386718,386688,54077,104523,50476,50446,398316,399963,10696747,10748901,336,153,244,335,183,0]},"pktlen": {"min":54,"avg":107.4,"max":469,"stddev":97.6,"var":9526.4,"ent":4.6,"data": [74,54,54,231,54,132,54,84,54,77,54,223,54,86,54,104,54,410,54,77,54,75,54,469,54,133,54,133,54,133,54,133]},"bins": {"c_to_s": [9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":64,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432820558921094,"flow_src_last_pkt_time":1432820571925000,"flow_dst_last_pkt_time":1432820571924969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":415,"flow_src_tot_l4_payload_len":984,"flow_dst_tot_l4_payload_len":706,"midstream":0,"thread_ts_usec":1432820571925000,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"184.173.179.46","src_port":35480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":838960.6,"max":10748901,"stddev":2599895.5,"var":6759456964608.0,"ent":2.2,"data": [61035,61126,147705,147918,346802,397248,61,50507,310058,310119,199799,397950,91,198181,50507,50568,386718,386688,54077,104523,50476,50446,398316,399963,10696747,10748901,336,153,244,335,183]},"pktlen": {"min":54,"avg":107.4,"max":469,"stddev":97.6,"var":9526.4,"ent":4.6,"data": [74,54,54,231,54,132,54,84,54,77,54,223,54,86,54,104,54,410,54,77,54,75,54,469,54,133,54,133,54,133,54,133]},"bins": {"c_to_s": [9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820624900403,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820624900403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820624900403,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.42","src_port":44819,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820624900403,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1432820624900403,"pkt":"ABoRAAACABoRAAABCABFAAA85gNAAEAGcjAKCAABnlU6Kq8TFGbeopMoAAAAAKACOQiB\/gAAAgQFtAQCCAoABHUrAAAAAAEDAwQ="}
 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820625066907,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820625066907,"pkt":"ABoRAAACABoRAAABCABFAAAoACpAABAGiB6eVToqCggAARRmrxMhXWzX3qKTKVAS\/\/8J0AAA"}
@@ -56,7 +56,7 @@
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1432820633802533,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820633803845,"pkt":"ABoRAAACABoRAAABCABFAAAoADlAABAG1BCtwN69CggAARRmpQHPUwduMKz4klAS\/\/9f4wAA"}
 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1432820633804974,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820633804974,"pkt":"ABoRAAACABoRAAABCABFAAAogDhAAEAGJBEKCAABrcDevaUBFGYwrPiSz1MHb1AQOQgm3AAA"}
 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820633834790,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820633834790,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
-01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":152,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820634797314,"flow_dst_last_pkt_time":1432820634796460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":505,"flow_src_tot_l4_payload_len":707,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":64151.9,"max":457947,"stddev":103861.5,"var":10787211264.0,"ent":3.7,"data": [1312,2441,29816,31189,401459,457947,56427,244,122,152,50476,50415,214,112548,112763,50812,57282,6500,274,183,50385,50538,122,50415,131042,50415,131164,122,50507,50629,793,0]},"pktlen": {"min":54,"avg":102.2,"max":559,"stddev":100.3,"var":10067.6,"ent":4.6,"data": [74,54,54,228,54,132,54,559,84,54,54,77,54,54,79,54,76,135,54,299,54,76,78,54,108,54,72,105,54,223,54,54]},"bins": {"c_to_s": [10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":152,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820634797314,"flow_dst_last_pkt_time":1432820634796460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":505,"flow_src_tot_l4_payload_len":707,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":64151.9,"max":457947,"stddev":103861.5,"var":10787211264.0,"ent":3.7,"data": [1312,2441,29816,31189,401459,457947,56427,244,122,152,50476,50415,214,112548,112763,50812,57282,6500,274,183,50385,50538,122,50415,131042,50415,131164,122,50507,50629,793]},"pktlen": {"min":54,"avg":102.2,"max":559,"stddev":100.3,"var":10067.6,"ent":4.6,"data": [74,54,54,228,54,132,54,559,84,54,54,77,54,54,79,54,76,135,54,299,54,76,78,54,108,54,72,105,54,223,54,54]},"bins": {"c_to_s": [10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":153,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820568947491,"flow_src_last_pkt_time":1432820628171429,"flow_dst_last_pkt_time":1432820569427136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.252.121.1","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":153,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820569427258,"flow_src_last_pkt_time":1432820629171551,"flow_dst_last_pkt_time":1432820570006695,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"179.60.192.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00935{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":153,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820567259228,"flow_src_last_pkt_time":1432820625171734,"flow_dst_last_pkt_time":1432820567917126,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.84.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -70,7 +70,7 @@
 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1432820681899121,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820681901135,"pkt":"ABoRAAACABoRAAABCABFAAAoAFlAABAGh6yeVTptCggAARRmwjmuxBSBUTvrf1AS\/\/\/2ZgAA"}
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":185,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1432820681901684,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820681901684,"pkt":"ABoRAAACABoRAAABCABFAAAoYBJAAEAG9\/IKCAABnlU6bcI5FGZRO+t\/rsQUglAQOQi9XwAA"}
 00882{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":186,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820681935773,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820681935773,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
-01739{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":214,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820685106122,"flow_dst_last_pkt_time":1432820683287396,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":254,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":751,"midstream":0,"thread_ts_usec":1432820685106122,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":91,"avg":148234.7,"max":1768433,"stddev":316376.5,"var":100094115840.0,"ent":3.4,"data": [2014,2563,34089,34790,390289,440887,50599,183,91,50446,50537,139282,139252,92,50506,50445,92,51240,51147,213,122,77789,128296,50873,179230,229706,260559,260559,50476,50476,1768433,0]},"pktlen": {"min":54,"avg":99.1,"max":308,"stddev":70.4,"var":4957.0,"ent":4.7,"data": [74,54,54,228,54,132,54,308,84,54,77,54,79,54,76,135,54,76,299,54,54,54,223,112,54,113,54,179,54,76,54,90]},"bins": {"c_to_s": [11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
+01737{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":214,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820685106122,"flow_dst_last_pkt_time":1432820683287396,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":254,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":751,"midstream":0,"thread_ts_usec":1432820685106122,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":91,"avg":148234.7,"max":1768433,"stddev":316376.5,"var":100094115840.0,"ent":3.4,"data": [2014,2563,34089,34790,390289,440887,50599,183,91,50446,50537,139282,139252,92,50506,50445,92,51240,51147,213,122,77789,128296,50873,179230,229706,260559,260559,50476,50476,1768433]},"pktlen": {"min":54,"avg":99.1,"max":308,"stddev":70.4,"var":4957.0,"ent":4.7,"data": [74,54,54,228,54,132,54,308,84,54,77,54,79,54,76,135,54,76,299,54,54,54,223,112,54,113,54,179,54,76,54,90]},"bins": {"c_to_s": [11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}}
 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":225,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820568947491,"flow_src_last_pkt_time":1432820628171429,"flow_dst_last_pkt_time":1432820569427136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820691515362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.252.121.1","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":225,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820569427258,"flow_src_last_pkt_time":1432820629171551,"flow_dst_last_pkt_time":1432820570006695,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820691515362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"179.60.192.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
 00935{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":225,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820567259228,"flow_src_last_pkt_time":1432820625171734,"flow_dst_last_pkt_time":1432820567917126,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820691515362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.84.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}}
@@ -106,10 +106,10 @@
 ~~ total active/idle flows...: 13/13
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6081222 bytes
-~~ total memory freed........: 6081222 bytes
+~~ total memory allocated....: 6081170 bytes
+~~ total memory freed........: 6081170 bytes
 ~~ total allocations/frees...: 121875/121875
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 511 chars
-~~ json string max len.......: 1756 chars
-~~ json string avg len.......: 1133 chars
+~~ json string max len.......: 1754 chars
+~~ json string avg len.......: 1132 chars
diff --git a/test/results/whatsappfiles.pcap.out b/test/results/whatsappfiles.pcap.out
index ed8446851..c74ddf6db 100644
--- a/test/results/whatsappfiles.pcap.out
+++ b/test/results/whatsappfiles.pcap.out
@@ -7,14 +7,14 @@
 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083501147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924083506116,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083598208,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":1398,"midstream":0,"thread_ts_usec":1519924083598208,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01542{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083599471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":3208,"midstream":0,"thread_ts_usec":1519924083599471,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","server_names":"*.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.whatsapp.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB"}}}
-01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924108832377,"flow_dst_last_pkt_time":1519924084217928,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":5152,"flow_dst_tot_l4_payload_len":3695,"midstream":0,"thread_ts_usec":1519924108832377,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":846062.3,"max":24639770,"stddev":4345174.0,"var":18880535724032.0,"ent":0.5,"data": [89960,91931,2998,95622,1439,1232,31,95929,999,78942,282792,460945,6,97926,4,3994,6995,998,5,4,115136,17,1231,43,102916,998,41079,24639770,4996,5995,2998,0]},"pktlen": {"min":66,"avg":343.1,"max":1464,"stddev":491.8,"var":241822.2,"ent":3.9,"data": [78,74,66,309,66,1464,1464,478,66,66,66,192,324,147,66,66,119,116,108,249,104,66,104,66,176,66,66,66,289,1464,1464,1464]},"bins": {"c_to_s": [9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0],"s_to_c": [5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924108832377,"flow_dst_last_pkt_time":1519924084217928,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":5152,"flow_dst_tot_l4_payload_len":3695,"midstream":0,"thread_ts_usec":1519924108832377,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":846062.3,"max":24639770,"stddev":4345174.0,"var":18880535724032.0,"ent":0.5,"data": [89960,91931,2998,95622,1439,1232,31,95929,999,78942,282792,460945,6,97926,4,3994,6995,998,5,4,115136,17,1231,43,102916,998,41079,24639770,4996,5995,2998]},"pktlen": {"min":66,"avg":343.1,"max":1464,"stddev":491.8,"var":241822.2,"ent":3.9,"data": [78,74,66,309,66,1464,1464,478,66,66,66,192,324,147,66,66,119,116,108,249,104,66,104,66,176,66,66,66,289,1464,1464,1464]},"bins": {"c_to_s": [9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0],"s_to_c": [5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240121220,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924240121220,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240121220,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1519924240121220,"pkt":"XEl5dU5qkLkxKPrKCABFAABAAABAAEAG5oDAqAIduTzYNcIiAbuCj0EnAAAAALDC\/\/+6MAAAAgQFtAEDAwYBAQgKKOd3WAAAAAAEAgAA"}
 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":312,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1519924240177946,"pkt":"kLkxKPrKXEl5dU5qCABFAAA8AABAAFUG0YS5PNg1wKgCHQG7wiLPr2ypgo9BKKASbTgw1AAAAgQFggQCCAq3hjooKOd3WAEDAwg="}
 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":313,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1519924240182174,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1519924240182174,"pkt":"XEl5dU5qkLkxKPrKCABFAAA0AABAAEAG5ozAqAIduTzYNcIiAbuCj0Eoz69sqoAQCAXEZQAAAQEICijnd5W3hjoo"}
 01112{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":314,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240183173,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924240183173,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"4e1a414c4f4c99097edd2a9a98e336c8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":316,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240183173,"flow_dst_last_pkt_time":1519924240244034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":146,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1519924240244034,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"4e1a414c4f4c99097edd2a9a98e336c8","ja3s":"96681175a9547081bf3d417f1a572091","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}}
-01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240317078,"flow_dst_last_pkt_time":1519924240518900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":12875,"midstream":0,"thread_ts_usec":1519924240518900,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":19146.4,"max":107518,"stddev":30886.0,"var":953946176.0,"ent":3.3,"data": [56726,60954,999,65972,116,64953,998,4998,4,994,4,59896,50958,5,7285,18,4137,107,10987,4,86355,107518,6,1398,909,1355,1209,1240,1010,1222,1201,0]},"pktlen": {"min":66,"avg":499.4,"max":1464,"stddev":599.2,"var":359069.1,"ent":4.0,"data": [78,74,66,583,66,212,66,117,119,116,108,290,147,66,104,66,104,66,108,66,66,66,1464,234,1464,1282,1464,1464,1464,1464,1464,1464]},"bins": {"c_to_s": [6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
+01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240317078,"flow_dst_last_pkt_time":1519924240518900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":12875,"midstream":0,"thread_ts_usec":1519924240518900,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":19146.4,"max":107518,"stddev":30886.0,"var":953946176.0,"ent":3.3,"data": [56726,60954,999,65972,116,64953,998,4998,4,994,4,59896,50958,5,7285,18,4137,107,10987,4,86355,107518,6,1398,909,1355,1209,1240,1010,1222,1201]},"pktlen": {"min":66,"avg":499.4,"max":1464,"stddev":599.2,"var":359069.1,"ent":4.0,"data": [78,74,66,583,66,212,66,117,119,116,108,290,147,66,104,66,104,66,108,66,66,66,1464,234,1464,1282,1464,1464,1464,1464,1464,1464]},"bins": {"c_to_s": [6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00939{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":161,"flow_dst_packets_processed":149,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924193366820,"flow_dst_last_pkt_time":1519924193429446,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":178544,"flow_dst_tot_l4_payload_len":4980,"midstream":0,"thread_ts_usec":1519924247388841,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00939{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":132,"flow_dst_packets_processed":178,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924247388841,"flow_dst_last_pkt_time":1519924247384385,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":1170,"flow_dst_tot_l4_payload_len":225649,"midstream":0,"thread_ts_usec":1519924247388841,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}}
 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","packets-captured":620,"packets-processed":620,"total-skipped-flows":0,"total-l4-payload-len":410343,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1519924247388841}
@@ -26,10 +26,10 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6069894 bytes
-~~ total memory freed........: 6069894 bytes
+~~ total memory allocated....: 6069886 bytes
+~~ total memory freed........: 6069886 bytes
 ~~ total allocations/frees...: 122133/122133
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
-~~ json string max len.......: 1745 chars
-~~ json string avg len.......: 1120 chars
+~~ json string max len.......: 1743 chars
+~~ json string avg len.......: 1119 chars
diff --git a/test/results/whois.pcapng.out b/test/results/whois.pcapng.out
index d774f58a4..f94432e5c 100644
--- a/test/results/whois.pcapng.out
+++ b/test/results/whois.pcapng.out
@@ -30,8 +30,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6045816 bytes
-~~ total memory freed........: 6045816 bytes
+~~ total memory allocated....: 6045804 bytes
+~~ total memory freed........: 6045804 bytes
 ~~ total allocations/frees...: 121538/121538
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/windowsupdate_over_http.pcap.out b/test/results/windowsupdate_over_http.pcap.out
index 7ed73eced..38ffe0a66 100644
--- a/test/results/windowsupdate_over_http.pcap.out
+++ b/test/results/windowsupdate_over_http.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037118 bytes
-~~ total memory freed........: 6037118 bytes
+~~ total memory allocated....: 6037114 bytes
+~~ total memory freed........: 6037114 bytes
 ~~ total allocations/frees...: 121522/121522
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 504 chars
diff --git a/test/results/wireguard.pcap.out b/test/results/wireguard.pcap.out
index b27eab285..53cfdf6a6 100644
--- a/test/results/wireguard.pcap.out
+++ b/test/results/wireguard.pcap.out
@@ -5,7 +5,7 @@
 00688{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554628757,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1563973554628780,"pkt":"OCxKuzMdABAY3q0FCABFAACsFXoAADURYtGLosCdwKgADspsjRQAmIUlBAAAAL5AaY1sAAAAAAAAAApaAsrtXpH1hJEWMIaMon2Jp07DYKtFnos9KJ2dxNXsnPOlMw8teGIqqtQyAhfCvZKfSoj8FKmPC1PCtu8qqniK567s\/wF6cALr5IJXHXdFnmr1I94kKjzDU62XCT24xGedWrUZRek84+e2Fsx1lJJ6NR9cFgw9VnO9J77GX8hL"}
 00624{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554628915,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1563973554628915,"pkt":"ABAY3q0FOCxKuzMdCABFAAB8LYcAAEARP\/TAqAAOi6LAnY0UymwAaNyeBAAAAG2mYV5wAAAAAAAAAAo35XrmOHswcilnP2QelKUcrUyMt+9zQAFDeYSUJyyw9BNkc7uq5jhjxm51P1MBuT08PEWRrzriFSk+BrqayZkHU3Oi+bUZJb76bMmarQhF"}
 00874{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554642219,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":944,"flow_dst_tot_l4_payload_len":368,"midstream":0,"thread_ts_usec":1563973554642219,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
-01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973564026392,"flow_dst_last_pkt_time":1563973564026499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":4816,"flow_dst_tot_l4_payload_len":2160,"midstream":0,"thread_ts_usec":1563973564026499,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":606302.4,"max":5525882,"stddev":1489465.9,"var":2218508681216.0,"ent":2.5,"data": [23,158,13304,82421,23440,98,92806,699,114421,124480,180,238536,14265,86010,36434,91,108248,778,113616,3087006,3060616,97488,183654,5525873,24,5525882,16499,87990,44371,59,115907,0]},"pktlen": {"min":138,"avg":260.0,"max":842,"stddev":181.0,"var":32764.0,"ent":4.7,"data": [842,186,138,314,138,330,186,138,298,138,666,186,138,314,138,362,186,138,298,138,186,154,186,154,698,186,138,314,138,570,186,138]},"bins": {"c_to_s": [0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
+01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973564026392,"flow_dst_last_pkt_time":1563973564026499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":4816,"flow_dst_tot_l4_payload_len":2160,"midstream":0,"thread_ts_usec":1563973564026499,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":606302.4,"max":5525882,"stddev":1489465.9,"var":2218508681216.0,"ent":2.5,"data": [23,158,13304,82421,23440,98,92806,699,114421,124480,180,238536,14265,86010,36434,91,108248,778,113616,3087006,3060616,97488,183654,5525873,24,5525882,16499,87990,44371,59,115907]},"pktlen": {"min":138,"avg":260.0,"max":842,"stddev":181.0,"var":32764.0,"ent":4.7,"data": [842,186,138,314,138,330,186,138,298,138,666,186,138,314,138,362,186,138,298,138,186,154,186,154,698,186,138,314,138,570,186,138]},"bins": {"c_to_s": [0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1241,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":714,"flow_dst_packets_processed":526,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973605316022,"flow_dst_last_pkt_time":1563973605316188,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":302280,"flow_dst_tot_l4_payload_len":80034,"midstream":0,"thread_ts_usec":1563973605316188,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1381,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":792,"flow_dst_packets_processed":588,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973656994951,"flow_dst_last_pkt_time":1563973656882661,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":319860,"flow_dst_tot_l4_payload_len":89542,"midstream":0,"thread_ts_usec":1563973656994951,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1551,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":889,"flow_dst_packets_processed":661,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973716802971,"flow_dst_last_pkt_time":1563973716804203,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":342916,"flow_dst_tot_l4_payload_len":101510,"midstream":0,"thread_ts_usec":1563973716804203,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}}
@@ -23,10 +23,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6105216 bytes
-~~ total memory freed........: 6105216 bytes
+~~ total memory allocated....: 6105212 bytes
+~~ total memory freed........: 6105212 bytes
 ~~ total allocations/frees...: 123886/123886
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 494 chars
-~~ json string max len.......: 1759 chars
-~~ json string avg len.......: 1125 chars
+~~ json string max len.......: 1757 chars
+~~ json string avg len.......: 1124 chars
diff --git a/test/results/wow.pcap.out b/test/results/wow.pcap.out
index 71000c261..a2aa9729d 100644
--- a/test/results/wow.pcap.out
+++ b/test/results/wow.pcap.out
@@ -40,8 +40,8 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6051301 bytes
-~~ total memory freed........: 6051301 bytes
+~~ total memory allocated....: 6051281 bytes
+~~ total memory freed........: 6051281 bytes
 ~~ total allocations/frees...: 121634/121634
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/xdmcp.pcap.out b/test/results/xdmcp.pcap.out
index 58af109c1..a5f06edd3 100644
--- a/test/results/xdmcp.pcap.out
+++ b/test/results/xdmcp.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035819 bytes
-~~ total memory freed........: 6035819 bytes
+~~ total memory allocated....: 6035815 bytes
+~~ total memory freed........: 6035815 bytes
 ~~ total allocations/frees...: 121493/121493
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
diff --git a/test/results/xiaomi.pcap.out b/test/results/xiaomi.pcap.out
index 5f28fc85e..f95f1dde1 100644
--- a/test/results/xiaomi.pcap.out
+++ b/test/results/xiaomi.pcap.out
@@ -53,8 +53,8 @@
 ~~ total active/idle flows...: 7/7
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6059856 bytes
-~~ total memory freed........: 6059856 bytes
+~~ total memory allocated....: 6059828 bytes
+~~ total memory freed........: 6059828 bytes
 ~~ total allocations/frees...: 121621/121621
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/xss.pcap.out b/test/results/xss.pcap.out
index ea17a140b..1d098d9b7 100644
--- a/test/results/xss.pcap.out
+++ b/test/results/xss.pcap.out
@@ -21,8 +21,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6037930 bytes
-~~ total memory freed........: 6037930 bytes
+~~ total memory allocated....: 6037922 bytes
+~~ total memory freed........: 6037922 bytes
 ~~ total allocations/frees...: 121515/121515
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 488 chars
diff --git a/test/results/youtube_quic.pcap.out b/test/results/youtube_quic.pcap.out
index 9607d062d..41e9cbcea 100644
--- a/test/results/youtube_quic.pcap.out
+++ b/test/results/youtube_quic.pcap.out
@@ -10,7 +10,7 @@
 00975{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823738796,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363823738796,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","quic": {"user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}}}
 02318{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823782478,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363823782478,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTqYeCGI\/o1o3gkQjAfrje9Hje5P995YFE4ABUkVKAAgAAABTVEsAPAAAAFNOTwB0AAAAUFJPRroAAABTQ0ZHWQEAAFJSRUpdAQAAU1RUTGUBAABDU0NUVwIAAENSVP\/\/BQAA+LXECKXyXyaGkNvk1LnkKe2HcwZSdJKMjSZdwRtRvlgkC7wrIojsxa12VSbQ+UqytsSw5ZWrAguctbN84e+itVKKdDan60SbCn6HO8EhAZXhZCoi6zTXVPfruFP+xbK0jobs4P1ETvvj7642AaRXoyX3AiUwRAIga0VZvCZ3TBiWNQTgv6KY8y2d9RkggowYQwi1RHlUtm4CIDUxV08RC49VVgJORrtGSNh+UsyMA8+5V0kTzoS1\/6EyU0NGRwgAAABBRUFECAAAAFNDSUQYAAAAUERNRBwAAABUQktQIAAAAFBVQlNDAAAAS0VYU0cAAABPQklUTwAAAEVYUFlXAAAAQUVTR0NDMjBrdmP1GwKyBEvvwtZJjj6PQ0hJRFRCMTAgAAC7MI00KZ1MP25xAs8ApFxY\/QSpEMcZP7AIDZmbDnFGD0MyNTUwMDAwMDAwMEDbx1gAAAAADAAAAND3AQAAAAAAAPAAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVplaZe7AAAEAwBGMEQCIFrxuSR6yQfoERjhpyCo\/HC4DbnJyy5PDUNSQYvoLd7WAiA1du1k\/DfC+hSnbCFZ+CiZL\/WBsCA2tHRh+V5os9e8wAB3AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABWmVpmAsAAAQDAEgwRgIhAK1Z+StuHvhEQzbhrizA0oP28zksTi\/aWkPYynKMWI7wAiEAoZsd0Sdt7uEo3XB3wMmgRGZNny2cfedCYnG3zpLag4YBA37tgIaiFYKRAgAAAAMB6IFgkpIa6AAAAAAAKgcAAHi7gTUtv1NjZwCWXOxKBk1sXJA2HIf55ae2MzL3PkFvyFGxkQUqDMwNjIyMgPkFmJfA7TkDUyC2MDUHdaIKsVrFwcPlDEw3aflFeZmJsATJzsPrm1+aVwJKXWGZqeVwd\/EguwvUlgC5i0dcCximIGFgJilKBqbG1Dxw1BtEGgizsQO9e84W2BLhADOYGdmZnRhYMt6FvD+wnV996Zw\/hsoKnDX1AkfE3LjmrmD0Xbj\/45IfeVee\/OywebVOPSnedOpTyamR\/2zN7jmfePP5sO3s0PyvawoWN7GsN2hiWU2oLGtizgMpEGRpYk4FchKbcLm1SUZLL7GgoBiHrApEtiAfzNUrBqaYxPRUqGJgYi4Gq+LT0kvKyU+HKWsSBPILUIWUtEBUbn4eMKcm4jBGE6QGbLcuVIVuSn55Xk5+Ygq6UnVMpaUF2BQqYChEVwEMgJT80qSc1OSczORs9ADgBoZbekEG3F8QzSnAIioVLAQP1+LKvBRo5QWWEIFJlKcm5WSmQ02Q19IrTkxLzSstwBHgYAV5KUn5FTgUKGrpEQoceYQS7IEioYUrJhFa9YpTgUFSgq6AByVW+dGjWYFgJEvhCWxORFDzowe0KPbgEMISyNrFJcB4SNYrSMwDOiE3Mx9f2hXDIS6LPxz4S\/PSMnOA5VFqil5eankxUtuLvcEgA6kEjwGWQdpIZbM8tLgsyM6EGgoukd09Hd2NwIWvNlJxD1MMDC6gj4sNkXWAqgCk9qDW3+B7S2xzw150iDxJLJ4oWT2f5yFamwi5WMfaiVKENDKAtRxaz4WDjS29kQdYohsYQFpFmgbqBqoLlBco"}
 02313{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823783077,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363823783077,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTtjVCGI\/o1o3gkQjAl1iY1+IPhyu0ittLaQBLgUZARLyTw62Xo9mQ7Tn55dir+alTNnl+EuTXetgrtU\/li3WZUF3t3EtPfqBg1nJrPp7bar7qdPHbjH8jwhk+pimkWuq6rVs4cviafuTL\/pWbDvkJD1zwixjdUFbM0aGipe63\/v0luly7P6xK4d1\/V35zVlHfZnq9OpLDbRdp3F95Wn77GK+6cqsr8cEfY77RjhzSh7Unhdryl2mU\/IhTPRZgsMXhZ65ayI6rm07a3GnaGsF6wp\/3rLVzcqh63smBXkUr5RrfvOpMsbbX\/13ZPXcymfXdeZ+LWmcELGYmfOd+prGpXeZdtiyB0ssnuZwNOYGp72hD8PxC2ds8mZMXnnvqd7Gb2w82Yw3Hn\/6nvVjXthRi\/UnDQF+1X0RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
-01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823844687,"flow_dst_last_pkt_time":1489363823852784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3698,"flow_dst_tot_l4_payload_len":22654,"midstream":0,"thread_ts_usec":1489363823852784,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":7092.9,"max":47402,"stddev":13323.0,"var":177502752.0,"ent":3.3,"data": [43682,599,47402,292,154,45,22593,22345,6,41882,73,4311,1249,5208,1009,1199,2078,995,1205,2173,1079,939,1972,1276,1007,2312,930,1274,2300,574,7716,0]},"pktlen": {"min":73,"avg":865.5,"max":1392,"stddev":620.1,"var":384534.2,"ent":4.5,"data": [1392,1392,1392,1392,459,177,178,77,1392,73,83,83,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1030,1392]},"bins": {"c_to_s": [0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823844687,"flow_dst_last_pkt_time":1489363823852784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3698,"flow_dst_tot_l4_payload_len":22654,"midstream":0,"thread_ts_usec":1489363823852784,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":7092.9,"max":47402,"stddev":13323.0,"var":177502752.0,"ent":3.3,"data": [43682,599,47402,292,154,45,22593,22345,6,41882,73,4311,1249,5208,1009,1199,2078,995,1205,2173,1079,939,1972,1276,1007,2312,930,1274,2300,574,7716]},"pktlen": {"min":73,"avg":865.5,"max":1392,"stddev":620.1,"var":384534.2,"ent":4.5,"data": [1392,1392,1392,1392,459,177,178,77,1392,73,83,83,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1030,1392]},"bins": {"c_to_s": [0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363824401150,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363824401150,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 02312{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363824401150,"pkt":"gCqojWksxCwDBkn+CABFAAVisIYAAEARAADAqAEH2DrNQtJjAbsFTmyMDXhX73QJ\/9nIUTAzNQGC9mpeAxq6QsMNjNmgAQAEQ0hMTx0AAABQQUQACAEAAFNOSQAjAQAAU1RLAF0BAABWRVIAYQEAAENDUwBxAQAATk9OQ5EBAABNU1BDlQEAAEFFQUSZAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tZ29vZ2xlYWRzLmcuZG91YmxlY2xpY2submV0gCa63gfstks25NXDBda+jRe1AwMuFIPOgLr8Vdt88WUvAddL7KVg5kyrPLEzz5PxZEMuEuhwybaZ0VEwMzUB6IFgkpIa6H7tgIaiFYKRWMXjcDAwMDAwMDAwQoHc+xZQMEvJrifGGZTcfUn5aXxkAAAAQ0MyMGJldGEgQ2hyb21lLzU3LjAuMjk4Ny45OCBJbnRlbCBNYWMgT1MgWCAxMF8xMl8za3Zj9RsCsgRL78LWSY4+jwAAAABYNTA5AAAQAAEAAAAeAAAAcOPFWAAAAACN\/AA7IChJw\/uFk6rkJtT8KHam\/zP1YJxL1R6PGerdhviM0jsqfVXK1sMGRgIfu1Gw5yjD\/\/Q\/fKW3aZLxbK0ZZAAAAAEAAABDMjU1qvorPqjeOwuq+is+qN47Cz2t9HxBefiRQAt7kKmueet+NAEAgygqfGXu0L2syT5vA8mDxoSqG087cDiVovZ6s0ywmTUWtgw5lXy+Ac4T6qWEMJOPvUqVQrabfhIiKh6bU4h\/Diu+B3D3YFOkHFOA3JEmhpJ\/3PZn9DncBSC36LdWvsJ8Uwgl2IG2lc1SfhMotW8c5gE3wCT8YVfQJL1vCNMKzgZWBrzkDiYZ7cTxYUMsLfK1F7K2mD1WVm4PU008ujahjZ6t1bAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
 01006{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363824401150,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363824401150,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"googleads.g.doubleclick.net","quic": {"user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}}}
@@ -28,8 +28,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6047426 bytes
-~~ total memory freed........: 6047426 bytes
+~~ total memory allocated....: 6047414 bytes
+~~ total memory freed........: 6047414 bytes
 ~~ total allocations/frees...: 121799/121799
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 497 chars
diff --git a/test/results/youtubeupload.pcap.out b/test/results/youtubeupload.pcap.out
index 8229520a6..eb6e5a35b 100644
--- a/test/results/youtubeupload.pcap.out
+++ b/test/results/youtubeupload.pcap.out
@@ -17,7 +17,7 @@
 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1511102578051971,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578051971,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1511102578051971,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"upload.youtube.com","quic": {"user_agent":"Chrome\/62.0.3202.94 Windows NT 10.0; Win64; x64"}}}
 02318{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578108526,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1511102578108526,"pkt":"2MuK4S0uXEl5dU5qCABFAAViAABAADgRtn+s2RdvwKgCGwG78xgFTs8jCAjRAddSQpCnAZLrpBY0DjIhd5jwe0ABH5UBAQD\/\/\/\/1BgCAAVJFSgAIAAAAU1RLADgAAABTTk8AbAAAAFBST0a0AAAAU0NGR1MBAABSUkVKVwEAAFNUVExfAQAAQ1NDVFECAABDUlT\/XwkAAOdd9OCaMJjZHEuQSnBheExXijy9L8yxcLxijUGUgt7VeQLmXHCE0dSCjTwUu4DOXBlw0HTG62CtZtu2a6Ru1X+sH1IA2FJqDRpGVA5MHyMKc7vKtJZUWy6Wq\/FvJH3N94ZirXYSBfeq9Qo8ATBGAiEAppVGAzltTsobgX744i5bBeIqIDO\/YtwFhdblUPMaf9ECIQDgN5eoKUWZEY4A\/yjD3jA5j4ZdDcRSfqhMU1oZUTGdIVNDRkcIAAAAQUVBRAgAAABTQ0lEGAAAAFBETUQcAAAAVEJLUCAAAABQVUJTQwAAAEtFWFNHAAAAT0JJVE8AAABFWFBZVwAAAEFFU0dDQzIw9lqyAICUa+kwugeWBsbKvkNISURUQjEwIAAAhphHmLi5BO0Bd0EZ92vmXccblzalgzbYj90Qfoq9ozBDMjU1MDAwMDAwMDBAFRRaAAAAAAwAAADNfAIAAAAAAADwAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFfeBYhgQAABAMARjBEAiBdvW4RdrxYmmjeJbc+3jgs5l6RJLipl3aPIQhj9TtUVgIgA9hjkGDtPgI+WyeFtwtRP0uw9dCVeIWw5SDGQbdmUYsAdwDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAV94FiCrAAAEAwBIMEYCIQCUIhZCh2zhmqj0uNpoeUCnAI4TO75j9mv1oMYRKX9EbwIhAIVqH7drJ4DDuKcAhaeeCXOoj8EoQkKnHGLbzkyKPDlhAQEDAeiBYJKSGugAAAAAALsLAAB4u4FGwB+tWGtQE1cUJpBXY6I8VdDyFNEgYZOQAr7wiYpWBawlaIsJ2cBCSCJJwEgVWK3A4KNOsVAVxfdjqlClUhXRURAFClYRHasEpKBgRdBILVjtzS6ETSYz9oczmdmc777Onnvu9527WTQrwFy0TRBKTcQLKrp9dm9xz+ylJ4l0NALQ0SJTNhpMGAZIGIUiTgYb8pXrDXnhuTHeCAI35bB6mBzcF\/AwMggEG8\/l8gN4AQK8oOLyArh8PlZQSS0uRWcy5oK8kSqS5YhoKCFpTNbnCo1cbciulQicavSLSfTLCXLA\/GIy2SCmBhjbXCGAaeAd62cA1adjf2xINJs5VuSOLXMcnO6g0xtjxu1zfIrK71z\/\/lBHSmjev8J8r4IzjW36x8zZNOc0+uStj3j5jQFTCvdXObyJDvLf4usWsNFD234IpYyDUMoYbF1AYEyIMUxgprRFy4BQm1YDYkdGbe4DoxE1cRNlsTkiuSRZgUgwczQwlUpYHofIYWI3ezYnVqbQSIiYI5sjEQfx+cECvhGWo1QwPWhGR4JnLMjJFDVvaGa8k59ILpJp1UisCsNHDLsjIhoybIah1TiI3NROUJramkR0FPHFOKJkc0BjBojNewCvTYGkdWaA2nxIipzgswQmGLCKYEiTCUa8hmAgaoIhlxEMpYmhNmwBbogkgDbw4BmdwRG5YU9wALQmwaAKwbrZDaEpiARWYJAhC1RqQKaxhmEsggUaGWzDvnEJ\/3lDO54Eq5NBL2JvMBWod+IRjNRQW4MlI+YJ2HmtQqPWiGE\/uSJWoUhEjKk3iJt1gyUaXPYxnAZwNUeMxRakTVIchroY"}
 02333{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578109522,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1511102578109522,"pkt":"2MuK4S0uXEl5dU5qCABFAAViAABAADgRtn+s2RdvwKgCGwG78xgFTrFpCAjRAddSQpCnArwHRDvEv6bzYWaHzaQBBSEEhrNWhsBytYq44AhiRo+TwCmwTKGEk42JPpys442NKgutZCyRqQAAtRXqaDF9GcRDYiH0Y\/Fi0MLsDELQGJhY4OvQsShgL0wMj6PF4FCw0EDxBIlYDUjOl0D+boN8rExECEHyX7Bo9gIexu6+BD0Z6jwYVS5xhEFjCAVnb9OEZ+1zI6xu60jhXe7FYiEjXGJWdBF1I+wRdfS48r74X1JeZ567KHa5EJ3pD3ngVQyQUTCSgZUFTVprCgmiU6lxmUwgGRCEl12TIR\/Iu8iryOND7yMz0xaswN6jCztbGOmK9M1HAtnb0p6qNH6hov6O7rqWzJfC2lmeHtZeU6WbjsS8u3ntcJQzOr2oWOwTXcLWes24V6eOPFWo8+TNul2fEFLQ78eM1PXs2XQnqjfDqk3auk2v6+r9pEcxm7ylpmzrihbHoOb9i7fucvoKaS0tCfOsbMqMP3nB9ezFL69FLLtTF+p+dsZl1fPc\/DBpqVvY0e9eHrAZ+VA9+k3JGb\/9upojFbdLGEEHzpW4tGy79WmG8IZ+5InTV7teNKN9mWsYUcLOpqcV59uW1kr1OramoTHz1vv11JzRr2tDd4S\/WkfbF2P7ZGza6rI\/j9Us8WXle5QG\/b6jzfNgyphjqo6oKWSDFJMnAQGwxaXYlmTl4Z1d0i88lvqCkib10ZlL8sf48IBpMSTg8YAY8\/iBmBZzeXzwEwQLgqM\/pux\/6Oa0l01OXX1\/+c6p1ENoy\/3lC8tzQnqdlS7ZoRtbdlT15tR7dEe\/E7HKePNyitQjIpd9cbgeFe\/qfiaMud5KybCv\/DovpHzVwiB95N8TOgZ2djpVNugjWfqwt\/tXNG+oKEpUZF25tdxtEmQz6wFdFS5Lfz91+rFA6vZLi+3IzzZMaO745y137UDe3TWvOGHFc27XdlUmuJypi3zktDjX7YazyO23wuMzY303CxB48w3nqlDPN5G7Ktoywmyvs\/+6kO9uVx38oy25qEe0fpf31qURmsfnntNrHN\/WeyacXdoQapOfb7Pxys\/NacXz+Q0XZq4ta9Z7e19lCXIKCwdG2mlzXAOrircnI\/g3DpRkByLCMjmYFj9jDB9zi+fW\/KMGh8A\/npA75EqgFPvB8xrHUWmTYjFShuyNNEGHqOBhDa5jAvygcyBwwyoCN6wtE0wGiocL7zg1ftXFTvv\/oJAPXPQs8EXNovaf7kkkqasq1vY36F29qncjsStini1pcp7kJZFuH1+dlSGJIedOLC7QMZTl5c4zutP4J9Iv6SmNyouUidqu3dUF52nOcEDd9M6QKlK\/grnxj\/XK1Uve+Vn11FT4bS89njFAcsiu3RvSfjG1ZmrcZ6\/q7\/pYJ88tuiS37l1AWTuTJOy02+fyavOojKMH1wn8z1UfTB\/zTWvuytPdcdnhPtCaI+KIa4F3p3V9yyYFZR1sUJ46vP5m5ZOaqgflXryX78ZeTWvRTfNvvGXb8cOSgXllHhLWeas8yH5iVlRBMCVoVB26EFSw0u7LpTGV75XHW9Nztb6\/wrxD58u4nYzXfW68h\/8B+TYP2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
-01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580012300,"flow_dst_last_pkt_time":1511102579994904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18813,"flow_dst_tot_l4_payload_len":4860,"midstream":0,"thread_ts_usec":1511102580012300,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":80,"avg":207043.7,"max":1883081,"stddev":509890.4,"var":259988193280.0,"ent":2.4,"data": [56118,973,59784,1844,356,60874,87,57514,351,30658,1096880,488,1126775,721,1825776,1883081,71241,80,128481,3345,2763,363,669,1041,1120,1220,1141,1157,1131,1161,1163,0]},"pktlen": {"min":58,"avg":781.8,"max":1392,"stddev":621.3,"var":386013.8,"ent":4.4,"data": [1392,1392,1392,80,1392,424,1392,73,83,80,72,58,611,83,77,344,78,154,58,83,387,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392]},"bins": {"c_to_s": [0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0],"s_to_c": [4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
+01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580012300,"flow_dst_last_pkt_time":1511102579994904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18813,"flow_dst_tot_l4_payload_len":4860,"midstream":0,"thread_ts_usec":1511102580012300,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":80,"avg":207043.7,"max":1883081,"stddev":509890.4,"var":259988193280.0,"ent":2.4,"data": [56118,973,59784,1844,356,60874,87,57514,351,30658,1096880,488,1126775,721,1825776,1883081,71241,80,128481,3345,2763,363,669,1041,1120,1220,1141,1157,1131,1161,1163]},"pktlen": {"min":58,"avg":781.8,"max":1392,"stddev":621.3,"var":386013.8,"ent":4.4,"data": [1392,1392,1392,80,1392,424,1392,73,83,80,72,58,611,83,77,344,78,154,58,83,387,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392]},"bins": {"c_to_s": [0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0],"s_to_c": [4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00772{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1511102576835328,"flow_src_last_pkt_time":1511102576954116,"flow_dst_last_pkt_time":1511102576952686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1430,"flow_src_tot_l4_payload_len":295,"flow_dst_tot_l4_payload_len":4409,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3}
 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":80,"flow_dst_packets_processed":20,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580286427,"flow_dst_last_pkt_time":1511102580285015,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":97113,"flow_dst_tot_l4_payload_len":5163,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
 00929{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":11,"flow_first_seen":1511102578051971,"flow_src_last_pkt_time":1511102594783349,"flow_dst_last_pkt_time":1511102594936951,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":8105,"flow_dst_tot_l4_payload_len":6001,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}}
@@ -30,8 +30,8 @@
 ~~ total active/idle flows...: 3/3
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6055330 bytes
-~~ total memory freed........: 6055330 bytes
+~~ total memory allocated....: 6055318 bytes
+~~ total memory freed........: 6055318 bytes
 ~~ total allocations/frees...: 121666/121666
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 498 chars
diff --git a/test/results/z3950.pcapng.out b/test/results/z3950.pcapng.out
index 08008c45e..e33287a5f 100644
--- a/test/results/z3950.pcapng.out
+++ b/test/results/z3950.pcapng.out
@@ -22,8 +22,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042268 bytes
-~~ total memory freed........: 6042268 bytes
+~~ total memory allocated....: 6042260 bytes
+~~ total memory freed........: 6042260 bytes
 ~~ total allocations/frees...: 121530/121530
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 492 chars
diff --git a/test/results/zabbix.pcap.out b/test/results/zabbix.pcap.out
index 8ccc05470..9a28fee42 100644
--- a/test/results/zabbix.pcap.out
+++ b/test/results/zabbix.pcap.out
@@ -15,8 +15,8 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6035935 bytes
-~~ total memory freed........: 6035935 bytes
+~~ total memory allocated....: 6035931 bytes
+~~ total memory freed........: 6035931 bytes
 ~~ total allocations/frees...: 121497/121497
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/zattoo.pcap.out b/test/results/zattoo.pcap.out
index 002c9525e..e6f7d2413 100644
--- a/test/results/zattoo.pcap.out
+++ b/test/results/zattoo.pcap.out
@@ -22,8 +22,8 @@
 ~~ total active/idle flows...: 2/2
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6042680 bytes
-~~ total memory freed........: 6042680 bytes
+~~ total memory allocated....: 6042672 bytes
+~~ total memory freed........: 6042672 bytes
 ~~ total allocations/frees...: 121539/121539
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 491 chars
diff --git a/test/results/zcash.pcap.out b/test/results/zcash.pcap.out
index b961439d0..222eb11dd 100644
--- a/test/results/zcash.pcap.out
+++ b/test/results/zcash.pcap.out
@@ -5,7 +5,7 @@
 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1514196094240063,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1514196094322725,"pkt":"cIXCQA64fmgbW\/gUCABFAAA8AABAADMGDb6yIMTZwKgCXCNa15Yj5r0mgJ3\/OqAScSDZNwAAAgQFtAQCCArshW\/8T467sAEDAwk="}
 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1514196094322778,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1514196094322778,"pkt":"fmgbW\/gUcIXCQA64CABFAAA0ux5AAEAGRafAqAJcsiDE2deWI1qAnf86I+a9J4AQAOV4LAAAAQEICk+Ou8XshW\/8"}
 01095{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196094322947,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1514196094322947,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
-02006{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196187394861,"flow_dst_last_pkt_time":1514196187518495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":1724,"flow_dst_tot_l4_payload_len":1124,"midstream":0,"thread_ts_usec":1514196187518495,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":6013975.0,"max":50191373,"stddev":12033642.0,"var":144808530149376.0,"ent":3.2,"data": [82662,82715,169,82626,1477,83954,12149836,12261597,111733,2618837,2732392,113543,6931182,7043979,112799,7848884,7848880,48786215,308388,319989,608003,50191373,143,24,41664,210617,4833234,4833228,8034710,8116947,41430,0]},"pktlen": {"min":66,"avg":156.6,"max":369,"stddev":98.9,"var":9779.1,"ent":4.7,"data": [74,74,66,326,66,369,66,249,129,66,249,129,66,249,129,66,319,66,249,249,249,249,78,78,78,129,66,319,66,249,66,129]},"bins": {"c_to_s": [9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
+02004{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196187394861,"flow_dst_last_pkt_time":1514196187518495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":1724,"flow_dst_tot_l4_payload_len":1124,"midstream":0,"thread_ts_usec":1514196187518495,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":6013975.0,"max":50191373,"stddev":12033642.0,"var":144808530149376.0,"ent":3.2,"data": [82662,82715,169,82626,1477,83954,12149836,12261597,111733,2618837,2732392,113543,6931182,7043979,112799,7848884,7848880,48786215,308388,319989,608003,50191373,143,24,41664,210617,4833234,4833228,8034710,8116947,41430]},"pktlen": {"min":66,"avg":156.6,"max":369,"stddev":98.9,"var":9779.1,"ent":4.7,"data": [74,74,66,326,66,369,66,249,129,66,249,129,66,249,129,66,319,66,249,249,249,249,78,78,78,129,66,319,66,249,66,129]},"bins": {"c_to_s": [9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":88,"source":"zcash.pcap","alias":"nDPId-test","packets-captured":88,"packets-processed":87,"total-skipped-flows":0,"total-l4-payload-len":6805,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1514196730496095}
 01144{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":145,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":62,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514197248783309,"flow_dst_last_pkt_time":1514197248783271,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":6299,"flow_dst_tot_l4_payload_len":4723,"midstream":0,"thread_ts_usec":1514197248783309,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}}
 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":145,"source":"zcash.pcap","alias":"nDPId-test","packets-captured":145,"packets-processed":145,"total-skipped-flows":0,"total-l4-payload-len":11022,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1514197248783309}
@@ -17,10 +17,10 @@
 ~~ total active/idle flows...: 1/1
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6050130 bytes
-~~ total memory freed........: 6050130 bytes
+~~ total memory allocated....: 6050126 bytes
+~~ total memory freed........: 6050126 bytes
 ~~ total allocations/frees...: 121635/121635
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 2011 chars
-~~ json string avg len.......: 1215 chars
+~~ json string max len.......: 2009 chars
+~~ json string avg len.......: 1214 chars
diff --git a/test/results/zoom.pcap.out b/test/results/zoom.pcap.out
index 13d74d59c..de587ba69 100644
--- a/test/results/zoom.pcap.out
+++ b/test/results/zoom.pcap.out
@@ -102,7 +102,7 @@
 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":112,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470165906,"flow_dst_last_pkt_time":1569520470280367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1569520470280367,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}}
 01431{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470280708,"flow_dst_last_pkt_time":1569520470280793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5608,"midstream":0,"thread_ts_usec":1569520470280793,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}}
 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569520470350181,"flow_dst_last_pkt_time":1569520466080774,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"thread_ts_usec":1569520470350181,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjK4AAAAQEICiWc3wRwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="}
-01570{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38469.9,"max":210729,"stddev":59394.9,"var":3527759616.0,"ent":3.3,"data": [112386,112530,31116,143960,1761,226,34,114802,166,170,7182,2922,121940,111900,4272,3,116559,98015,494,36,210729,39,183,114,242,129,123,246,127,13,148,0]},"pktlen": {"min":54,"avg":677.0,"max":1506,"stddev":660.1,"var":435695.1,"ent":4.2,"data": [78,66,54,571,60,1506,1506,1506,54,1306,54,54,245,105,54,745,864,60,1506,1506,1506,54,54,1506,1506,54,1506,1506,54,1506,459,54]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0]}}
+01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38469.9,"max":210729,"stddev":59394.9,"var":3527759616.0,"ent":3.3,"data": [112386,112530,31116,143960,1761,226,34,114802,166,170,7182,2922,121940,111900,4272,3,116559,98015,494,36,210729,39,183,114,242,129,123,246,127,13,148]},"pktlen": {"min":54,"avg":677.0,"max":1506,"stddev":660.1,"var":435695.1,"ent":4.2,"data": [78,66,54,571,60,1506,1506,1506,54,1306,54,54,245,105,54,745,864,60,1506,1506,1506,54,54,1506,1506,54,1506,1506,54,1506,459,54]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0]}}
 01435{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520470666966,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520470666966,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1569520470666966,"pkt":"\/\/\/\/\/\/\/\/KDc3AG3ICABFAABI4PAAAEARFPDAqAF1wKgB\/+EV4RUANLyaU3BvdFVkcDAJFTOWktM6lAABAARIlcIDDi3QR5gZLZgtSkZtNr91y8rdz4k="}
@@ -158,7 +158,7 @@
 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":286,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471221044,"flow_dst_last_pkt_time":1569520471255395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569520471255395,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01556{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":291,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471255585,"flow_dst_last_pkt_time":1569520471266033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5536,"midstream":0,"thread_ts_usec":1569520471266033,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}}
 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":302,"source":"zoom.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471399595,"flow_dst_last_pkt_time":1569520467811636,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":113,"pkt_l4_len":79,"thread_ts_usec":1569520471399595,"pkt":"EBMx8Tl2KDc3AG3ICABFAABjAABAAEAGoUnAqAF1PpWYmdRFA+E5lpAkp\/QQcoAYEAA2VgAAAQEICiWc4viZh0dJFwMDACpAXTQxH2s8yyXvpDmREm16+\/VcNt\/x\/vlsIce1k7D8R+clMelpc+AJPCA="}
-01854{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28227.3,"max":156067,"stddev":40349.6,"var":1628089600.0,"ent":3.8,"data": [31621,31782,223,32749,1986,135,18,34538,3,10485,3,10554,60088,93852,33789,375,31290,30856,4598,4,36582,6223,38193,156062,156067,114,1,94,10606,59053,3101,0]},"pktlen": {"min":66,"avg":434.5,"max":1506,"stddev":552.4,"var":305116.1,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1282,66,66,1506,93,66,192,308,66,206,132,66,1506,547,66,104,66,1331,66,1506,160,66,104,216,237]},"bins": {"c_to_s": [10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
+01852{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28227.3,"max":156067,"stddev":40349.6,"var":1628089600.0,"ent":3.8,"data": [31621,31782,223,32749,1986,135,18,34538,3,10485,3,10554,60088,93852,33789,375,31290,30856,4598,4,36582,6223,38193,156062,156067,114,1,94,10606,59053,3101]},"pktlen": {"min":66,"avg":434.5,"max":1506,"stddev":552.4,"var":305116.1,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1282,66,66,1506,93,66,192,308,66,206,132,66,1506,547,66,104,66,1331,66,1506,160,66,104,216,237]},"bins": {"c_to_s": [10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1569520471748648,"pkt":"EBMx8Tl2KDc3AG3ICABFAACHYY4AAEARSPnAqAF1bV6gY+PXImEAcwEfAQACfUZNNf\/9ojRJXQ1tO1HolgAAAAAAAAACAHoAKgB6ACoAAABADhc935YCXvuVxCQMI1O\/y\/Bgvpncu9jEece5cy1sdfpDYvCDXrg+TanGp+bzCbMeQN8Pa7V1aoQPcx2bwfanLQAAAAA="}
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
@@ -171,7 +171,7 @@
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":425,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471915269,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471915269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471915269,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":60620,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":442,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939789,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1569520471939789,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA\/uqdAADURuydtXqBjwKgBdSJh7MwAK7AuAgABgEJ0mpHOZDa3wq7Yfnt8kABaDj8AegDRAAAAAAAAAAA="}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":443,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1569520471939806,"pkt":"KDc3AG3IEBMx8Tl2CABFAAApuqhAADURuzxtXqBjwKgBdSJh7MwAFUSkAwAAAAF2Ko4UAFoOPwAAAAAA"}
-01744{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":10365.7,"max":35562,"stddev":8525.9,"var":72690992.0,"ent":4.5,"data": [31967,28,32217,4719,35562,13763,10264,10242,9996,63,10130,10327,9979,9966,107,9866,10246,10252,10251,126,10146,9980,10130,10478,32,9954,10261,9714,10315,406,9850,0]},"pktlen": {"min":55,"avg":886.8,"max":1071,"stddev":383.7,"var":147246.2,"ent":4.8,"data": [149,77,60,55,105,85,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071]},"bins": {"c_to_s": [1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
+01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":10365.7,"max":35562,"stddev":8525.9,"var":72690992.0,"ent":4.5,"data": [31967,28,32217,4719,35562,13763,10264,10242,9996,63,10130,10327,9979,9966,107,9866,10246,10252,10251,126,10146,9980,10130,10478,32,9954,10261,9714,10315,406,9850]},"pktlen": {"min":55,"avg":886.8,"max":1071,"stddev":383.7,"var":147246.2,"ent":4.8,"data": [149,77,60,55,105,85,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071]},"bins": {"c_to_s": [1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00648{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":151,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":151,"pkt_l4_len":117,"thread_ts_usec":1569520473084563,"pkt":"EBMx8Tl2KDc3AG3ICABFAACJ4\/YAAEARxo7AqAF1bV6gY\/EjImEAde5DAQACOkSxT2rBSy0CI5EJ7ghSoQAAAAAAAAACAHoFYgB6BWIAAABAyr1YPP8KZ34wUqB9PR5Zle\/sBvgfAfGBqNzDFPjrnryOYaOvAtAdhsk5Sd978V5OWjrnwByNSAVBXX+sDOwgiv\/\/\/\/8KAA=="}
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
@@ -221,8 +221,8 @@
 ~~ total active/idle flows...: 33/33
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6355572 bytes
-~~ total memory freed........: 6355572 bytes
+~~ total memory allocated....: 6355440 bytes
+~~ total memory freed........: 6355440 bytes
 ~~ total allocations/frees...: 122604/122604
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 190 chars
diff --git a/test/results/zoom2.pcap.out b/test/results/zoom2.pcap.out
index bb83176b9..42af221c3 100644
--- a/test/results/zoom2.pcap.out
+++ b/test/results/zoom2.pcap.out
@@ -7,12 +7,12 @@
 01235{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458577638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965458578318,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","ja3":"832952db10f1453442636675bed2702b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01295{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458752945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1642965458752945,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}}
 01572{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458752990,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4096,"midstream":0,"thread_ts_usec":1642965458752990,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.sjc.zoom.us","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7"}}}
-01844{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965459315313,"flow_dst_last_pkt_time":1642965459315763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3004,"flow_dst_tot_l4_payload_len":9722,"midstream":0,"thread_ts_usec":1642965459315763,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":58874.8,"max":198571,"stddev":83051.8,"var":6897604608.0,"ent":3.4,"data": [174660,174776,564,174002,1305,35,10,9,175382,5,1,23625,1263,198571,173076,348,174461,174128,5783,7,187559,672,15,182407,110,83,84,878,803,496,2,0]},"pktlen": {"min":66,"avg":464.3,"max":1506,"stddev":547.4,"var":299645.5,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,828,66,66,66,66,192,117,66,222,141,66,1506,781,66,1506,456,66,214,66,116,1344,66,1344,270]},"bins": {"c_to_s": [11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
+01842{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965459315313,"flow_dst_last_pkt_time":1642965459315763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3004,"flow_dst_tot_l4_payload_len":9722,"midstream":0,"thread_ts_usec":1642965459315763,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":58874.8,"max":198571,"stddev":83051.8,"var":6897604608.0,"ent":3.4,"data": [174660,174776,564,174002,1305,35,10,9,175382,5,1,23625,1263,198571,173076,348,174461,174128,5783,7,187559,672,15,182407,110,83,84,878,803,496,2]},"pktlen": {"min":66,"avg":464.3,"max":1506,"stddev":547.4,"var":299645.5,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,828,66,66,66,66,192,117,66,222,141,66,1506,781,66,1506,456,66,214,66,116,1344,66,1344,270]},"bins": {"c_to_s": [11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459595620,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":123,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965459595620,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1642965459595620,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1642965459595620,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXeHsAAEARZSPAqAGykMNJmuztImEAgzNnAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hPwBvYT8AAABA5tdm9ZTyTIyTAkYLAufeKJLgneU8bl8DozakMMlr\/JDYAlm5+8RxsTcW0dGDYHnKojsP3MD2C2S9PgF8PPhtdgAAAAAAQABAAAB1MAABAAMAAiAA"}
 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1642965459696999,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1642965459696999,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXZlQAAEARd0rAqAGykMNJmuztImEAg30SAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hpABvYaQAAABASNx7XNkhaVV2TkWPa7HXWfzTaegL7lyuofS42ADMsef1ZS+nG51oqDil0vt0Fn4zbdXfyiCV8oAbYGEn4LlcKwAAAAAAQABAAAB1MAABAAMAAiAA"}
 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1642965459696999,"flow_dst_last_pkt_time":1642965459762205,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965459762205,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvJFAADER8FuQw0mawKgBsiJh7O0ANHLoAgADyErEUocYzaK4R3obiZ8zgwBPg3gAb2E\/AAAAAAAAAAAAQABAAAPgAwA="}
-01604{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":25414.0,"max":166585,"stddev":40490.2,"var":1639456256.0,"ent":3.6,"data": [101379,166585,27,72990,12330,100439,29,101849,72959,11921,4860,10860,10480,10129,246,9160,10351,10320,11352,21,292,9440,8565,5418,4862,82,10799,10006,10476,9401,205,0]},"pktlen": {"min":60,"avg":718.7,"max":1078,"stddev":464.6,"var":215864.3,"ent":4.6,"data": [165,165,86,60,170,170,86,60,170,102,102,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,102,1078,1078,1078,1078,1078,1078,1078]},"bins": {"c_to_s": [0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]}}
+01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":25414.0,"max":166585,"stddev":40490.2,"var":1639456256.0,"ent":3.6,"data": [101379,166585,27,72990,12330,100439,29,101849,72959,11921,4860,10860,10480,10129,246,9160,10351,10320,11352,21,292,9440,8565,5418,4862,82,10799,10006,10476,9401,205]},"pktlen": {"min":60,"avg":718.7,"max":1078,"stddev":464.6,"var":215864.3,"ent":4.6,"data": [165,165,86,60,170,170,86,60,170,102,102,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,102,1078,1078,1078,1078,1078,1078,1078]},"bins": {"c_to_s": [0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]}}
 00880{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00881{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":207,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460219455,"flow_dst_last_pkt_time":1642965460219455,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":123,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965460219455,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
@@ -23,10 +23,10 @@
 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1642965460317924,"flow_dst_last_pkt_time":1642965460395901,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965460395901,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvbFAADER7zuQw0mawKgBsiJh4wUANKrxAgADlUCX4nL8uBw5x1bMJMqfpQBPg3kAb2OvAAAAAAAAAAAAQABAAAPgAwA="}
 00665{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":299,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1642965460461401,"flow_dst_last_pkt_time":1642965460359314,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"thread_ts_usec":1642965460461401,"pkt":"EBMx8Tl2KDc3AG3ICABFAACZ6kAAAEAR81vAqAGykMNJmuJhImEAhaEiAQADwkJYttycXaTnsMPEsai0ugAAAAAAAAACAG9koQBvZKEAAABA6DEQatkP0ZiaMugg0SFSq6JqmaXOleBRM3eRUGv0uLvPr6CL4g3oVryKRdoOzve7SJqEd+2jwB1vjsn7k5LMNv\/\/\/\/8AQABAAAB1MAABAAMAAiAACgA="}
 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1642965460461401,"flow_dst_last_pkt_time":1642965460546911,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965460546911,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvg1AAC8R8N+Qw0mawKgBsiJh4mEANErbAgADwkJYttycXaTnsMPEsai0ugBPg3oAb2Q7AAAAAAAAAAAAQABAAAPgAwA="}
-01591{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":42778.1,"max":176446,"stddev":48878.6,"var":2389121792.0,"ent":4.1,"data": [98469,176446,124,85491,9538,94754,12,99878,94166,12337,1946,12440,20627,16992,20131,168367,18000,3631,10879,10252,19350,32137,20903,115345,15,17844,18745,20098,20216,21487,85502,0]},"pktlen": {"min":60,"avg":143.0,"max":203,"stddev":35.8,"var":1279.8,"ent":4.9,"data": [165,165,86,60,170,170,86,60,170,102,102,175,178,168,163,159,130,102,163,106,157,158,148,149,180,203,130,164,162,157,158,130]},"bins": {"c_to_s": [0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1]}}
+01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":42778.1,"max":176446,"stddev":48878.6,"var":2389121792.0,"ent":4.1,"data": [98469,176446,124,85491,9538,94754,12,99878,94166,12337,1946,12440,20627,16992,20131,168367,18000,3631,10879,10252,19350,32137,20903,115345,15,17844,18745,20098,20216,21487,85502]},"pktlen": {"min":60,"avg":143.0,"max":203,"stddev":35.8,"var":1279.8,"ent":4.9,"data": [165,165,86,60,170,170,86,60,170,102,102,175,178,168,163,159,130,102,163,106,157,158,148,149,180,203,130,164,162,157,158,130]},"bins": {"c_to_s": [0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1]}}
 00879{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00880{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
-01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":46715.2,"max":187597,"stddev":42950.9,"var":1844783744.0,"ent":4.3,"data": [102087,187597,15,105625,59,93505,28,87640,70667,56,105994,30,21517,32815,58979,18,48377,5541,49496,50209,26,8,55223,45719,56325,52361,22,59786,52118,47745,58582,0]},"pktlen": {"min":60,"avg":105.1,"max":185,"stddev":44.6,"var":1993.4,"ent":4.9,"data": [167,167,86,60,177,177,86,60,177,177,177,117,117,69,69,185,69,69,117,69,117,117,69,69,69,69,117,69,69,69,69,69]},"bins": {"c_to_s": [7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0]}}
+01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":46715.2,"max":187597,"stddev":42950.9,"var":1844783744.0,"ent":4.3,"data": [102087,187597,15,105625,59,93505,28,87640,70667,56,105994,30,21517,32815,58979,18,48377,5541,49496,50209,26,8,55223,45719,56325,52361,22,59786,52118,47745,58582]},"pktlen": {"min":60,"avg":105.1,"max":185,"stddev":44.6,"var":1993.4,"ent":4.9,"data": [167,167,86,60,177,177,86,60,177,177,177,117,117,69,69,185,69,69,117,69,117,117,69,69,69,69,117,69,69,69,69,69]},"bins": {"c_to_s": [7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0]}}
 00877{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00878{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00727{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11804,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965500049643,"flow_src_last_pkt_time":1642965500049643,"flow_dst_last_pkt_time":1642965500049643,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965500049643,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3}
@@ -48,10 +48,10 @@
 ~~ total active/idle flows...: 5/5
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6406911 bytes
-~~ total memory freed........: 6406911 bytes
+~~ total memory allocated....: 6406891 bytes
+~~ total memory freed........: 6406891 bytes
 ~~ total allocations/frees...: 133516/133516
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 490 chars
-~~ json string max len.......: 1849 chars
-~~ json string avg len.......: 1168 chars
+~~ json string max len.......: 1847 chars
+~~ json string avg len.......: 1167 chars